Lab 3.4: Tuning detections in Elastic¶
Est. Time: 30 minutes
Optional
Goals:
- Filter out noise or expected activity from your detection
Instructions¶
- A lot of SOC work is tuning your detections to increase their fidelity. You may be tuning due to activity that’s not actually what you want to match on, or maybe activity that is a true positive match but it isn’t malicious. We’re going to filter the first detection we wrote, the Net User Discovery detect.
-
Create a new user on your Windows VM named “Helpdesk”.
- Set a password you will remember.
- With an elevated PowerShell window, run:
- Note that you shouldn’t be creating local accounts this way in production, specifically settings the password in this way on the command line. It is fine in this case since this is a lab environment.
- Now, in that same window, run Net User as the account you just created:
- You’ll be prompted to enter the password of that account you just made, and then the command will execute.
- Back over in Elastic and Jira you should see the alerts generated by this activity.
- In this scenario, we’ll say that the “Helpdesk” user we just made is the standard user that our IT helpdesk team uses to help troubleshoot user issues. These accounts are very secure with SuperSecure-NG-v2-XDR™️, and in some cases they may need to execute ‘net user’ to do their job. So let’s filter them from our detection.
- Head over to your detection page for Net User Discovery (
Elastic → Security → Rules → Detection rules (SIEM) → Net User Discovery) and scroll down to where you see the Alerts section usually; you should see “Rule exceptions” next to that. Switch over to that tab. -
This section shows you all the exceptions for your rule, expired or active.
-
In this case the exception we are adding will be permanent. Click “Add rule exception”
- Name your exception and add the username you created to the conditions section. Including a comment is good practice as well. No need to set an expiration date.
- You can also check under “Alert actions” the box that says “Close all alert actions that match this exception”, which will empty out your alerts that are sitting in Elastic from here on out that match your new filter criteria.
-
Your exception should look something like this:
-
Click “Add rule exception”, and you should then see the rule exception in place in Elastic:
-
Back in your VM run the net user command again as helpdesk.
- If you don’t see an alert show up in Elastic or Jira, congratulations, you’ve created your first filter!
- Running the Detection query over in Discover you can see that the logs are in-fact in your SIEM. And with your detection running every 5 minutes, by the time you wait a few minutes it should have fired on Helpdesk’s command by then if it was going to.
- Once you are done with the above, you should consider removing the local account either on your host machine or your VM, depending on where you are doing these labs. Here is how to do so:
-
In an elevated PowerShell window run:
-
Bonus:
- If you’re slick, you say should have also noticed that you might have triggered two (or more) alerts during this lab.
- Why is that? The command we used to create the new user “Helpdesk” actually matched the alert syntax of your Net User Discovery rule itself- Net.exe was used to create the user, and one of the arguments for that command was “user”. Therefore we triggered an alert by creating a new user.
-
Bonus #2:
- There is another way to create a rule exception: right from an alert.
-
Open up the expanded view for that alert, and select “Take action”
-
“Add rule exception” is an option here, and this actually pre-fills a lot of the values you may need. Just make sure not to filter too specifically or you’ll still fire on the same activity that has slight differences.