Interesting Object Access Abuse Detection Use Cases


#1

Can the content of a field be used in a regex condition in another field of the same event to trigger an alert?

Username is stored in the “subject” field, and should match the second directory in the object field where the item that was accessed is saved.

Subject: “username” Object: “C:\Users\content_of_subject_field\…” (Windows) or Object: "/home/content_of_subject_field/… (Unix), plus username ‘root’ accessing any /home/… directory.

  • Failed unauthorized access attempt: if the event status is “Audit_Failure”, and accesses: “ReadData or
    WriteData”, and not matching case insensitive regex search: "\w:\Users\content_of_subject_field\.+"
    a certain number of attempts over a period of time (e.g. 10 times in 5 minutes) by the same subject –
    without the need to explicitly specify the Subject (it is a regex match of the content of Subject field
    in object field).

  • Security incident following a single occurrence of an object access “AUDIT_SUCCESS” with Subject:
    “subject”, and Object: “C:\Users\other_than_content_of_Subject_field\…”. An access of ReadData is a
    breach of Confidentiality, WriteData is a breach of Integrity. ReadData may occur on its own, WriteData
    is almost always coupled with ReadData. Either way, it is an incident that requires immediate response.

Can this be implemented in Graylog? If yes, any tips as to how to go about it?


(Jan Doberstein) #2

hej @comp_whiz

as long as you are able to break your requirements down to something you can model with processing pipelines. I didn’t see any problems with that.

But that depends how your delivered messages look like.

regards
Jan