Skip to main content
Sumo Logic

Normalized Threat Rules

CSE's built-in threat rules pass alerts from a security product to the Signal generation process, and are normalized work across multiple security products.

This topic has information about CSE’s built-in normalized threat rules.

Normalized threat rules pass alerts to CSE

The first key fact about normalized threat rules is this: they exist to process messages that describe a security event that has already occurred. 

Some messages logged by a security product are the result of that product’s own detection functionality, for example by using rule sets or signatures. Typically, such messages contain a severity, risk, or impact in the message, and can be accepted as a clear indication of nefarious activity. Essentially, a normalized threat rule simply passes an alert from a security product to the Signal generation process.  

Normalized threat rules support multiple log sources

The second important aspect of a normalized threat rule is that, as the name implies, it supports multiple log sources.   

For example, a normalized threat rule that looks for intrusions would work with multiple products that detect intrusions, such as:

  • Palo Alto Threat Event
  • Cisco Firepower IDS
  • Symantec Endpoint Protection Exploit Prevention/HIPS
  • IPS/IDS Appliances

Ordinarily, rules define the log messages they’ll be applied to by specifying metadata_vendor and metadata_product in the rule expression. A normalized rule doesn’t specify these attributes. Instead, it looks at another attribute that is set during the log mapping process: threat_ruleType. In the log mapping process for a message type, the value of threat_ruleType is set  to a value that corresponds to a threat type, for example “intrusion”. Then, normalized threat rules can look for messages whose threat_ruleType field is “intrusion”, regardless of vendor or product. For information about mapping requirements for messages that describe security events, see Field Mapping for Security Event Sources.

Types of normalized threat rules 

There are multiple categories of normalized threat rules for different types of threats.

intrusion

For messages that indicate an intrusion has taken place These messages typically include a signature for the exploit attempted. 

Log sources that issue intrusion-related messages include:

  • Palo Alto Threat Event
  • Cisco Firepower IDS
  • Symantec Endpoint Protection Exploit Prevention/HIPS
  • IPS/IDS Appliances

CSE provides the following normalized intrusion rules:

  • Intrusion Scan - Targeted
    • This rule looks for an intrusion product detecting an internal IP sending different exploits to another external IP in a short timeframe.
  • Intrusion Sweep
    • This rule looks for an intrusion product detecting an internal IP sending the same exploit to multiple internal IPs in a short timeframe.
  • Multiple High Severity Intrusion Events
    • This rule looks for an intrusion product detecting multiple high severity intrusion signatures sourcing from an internal IP in a short timeframe.
  • Critical Severity Intrusion Signature
    • This rule looks for an intrusion product detecting a critical severity intrusion signature sourcing from an internal IP.

malware

For messages for logs that indicate malware has been detected. These typically provide a signature for the type of malware.

Log sources that issue malware-related messages include:

  • Antivirus Appliances
  • Trend Micro Antivirus
  • Symantec Endpoint Protection Scanning/Antivirus

CSE provides the following normalized malware rules:

  • Malware Outbreak
    • Same malware signature on multiple hosts in a short timeframe.
  • Persistent Malware Infection
    • Single host with multiple malware infections with the same signature in a short timeframe.
  • Malware Not Cleaned
    • Malware the antivirus fails to clean.
  • Malware Cleaned
    • Malware the antivirus successfully cleans.
  • Antivirus Ransomware Detection
    • Malware determined to be ransomware based on the signature/virus name.

behavior

For messages that indicate suspicious or malicious activity based on behavior, rather than a signature. These messages don’t usually include a signature, instead might contain the command line arguments and other actions taken by the adversary.

Log sources that issue behavior-related messages include:

  • CrowdStrike Falcon
  • Symantec Endpoint Protection EDR
  • Carbon Black Response

CSE provides the following normalized behavior rule:

  • EDR Behavior Alert - {threat_signalName}
    • Passes through an alert from an endpoint security product and adjusts the severity accordingly based on the severity provided in the log.