August 31, 2016

Anomalies and Events (DE.AE)

Objectives of Anomalies and Events

Anomalous activity is detected in a timely manner and the potential impact of events is understood.

  • DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors
  • DE.AE-4: Impact of events is determined
  • DE.AE-5: Incident alert thresholds are established

Useful SOC Queries regarding USER ACCOUNTs

  • Failed logins, lockouts
  • Successful logins from 2 distant locations(USA, France, and Russia) in a time period to where that it physically impossible.
  • I want to see new user accounts that were created;
    • WHEN was it added
    • Created by WHO
    • Created WHERE
    • WHAT did they do next? A new user that is created for a specific purpose, should be used for that purpose pretty quickly.  If it is for a malicious purpose, kill it.