{"id":23484,"date":"2024-11-02T20:51:25","date_gmt":"2024-11-02T16:51:25","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/siem-update-q3-2024\/23484\/"},"modified":"2024-11-02T20:51:25","modified_gmt":"2024-11-02T16:51:25","slug":"siem-update-q3-2024","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/siem-update-q3-2024\/23484\/","title":{"rendered":"Kaspersky SIEM: early threat detection and other improvements"},"content":{"rendered":"<p>Clearly, the sooner malicious actions come to the attention of security solutions and experts, the more effectively they\u2019re able to minimize, or even prevent damage. Therefore, while working on new detection rules for our SIEM system named the , we pay special attention to identifying attackers\u2019 activity at the very initial stage of an attack, when they try to collect information about infrastructure. We\u2019re talking about activity related to the <a href=\"https:\/\/attack.mitre.org\/tactics\/TA0007\/\" target=\"_blank\" rel=\"nofollow noopener\">discovery tactics<\/a> according to the Enterprise Matrix MITRE ATT&amp;CK Knowledge Base classification.<\/p>\n<p>Modern attackers are increasingly paying attention to containerization infrastructure, which is where rather dangerous vulnerabilities are sometimes found. For example, our May <a href=\"https:\/\/securelist.com\/vulnerability-report-q1-2024\/112554\/\" target=\"_blank\" rel=\"noopener\">report on exploits and vulnerabilities<\/a> describes the CVE-2024-21626 vulnerability, which allows for a container escape. That\u2019s why in our Q3 2024 SIEM system update, among the rules for identifying atypical behavior that may indicate attacker activity at the initial data collection stage, we\u2019ve added detection rules that catch (i) attempts to collect data on the containerization infrastructure, and (ii) traces of various attempts to manipulate the containerization system itself.<\/p>\n<p>This was done by adding detection rules R231, R433, and R434, which are already available to Kaspersky Unified Monitoring and Analysis Platform users through the rule update system. In particular, they\u2019re used to detect and correlate the following events:<\/p>\n<ul>\n<li>access to credentials inside a container;<\/li>\n<li>launching a container on a non-container system;<\/li>\n<li>launching a container with excessive privileges;<\/li>\n<li>launching a container with access to host resources;<\/li>\n<li>collecting information about containers using standard tools;<\/li>\n<li>searching for weak spots in containers using standard tools;<\/li>\n<li>searching for security vulnerabilities in containers using special utilities.<\/li>\n<\/ul>\n<p>Considering the above-described update, there are now more than 659 rules available on the platform, including 525 rules with direct detection logic.<\/p>\n<p>We continue to align our detection rules with the Enterprise Matrix MITRE ATT&amp;CK Knowledge Base, which today describes 201 techniques, 424 sub-techniques, and thousands of procedures. As of today our solution covers 344 MITRE ATT&amp;CK techniques and sub-techniques.<\/p>\n<p>In addition, we\u2019ve improved many old rules by correcting or adjusting conditions \u2013 for example, to reduce the number of false positives.<\/p>\n<h2>New and improved normalizers<\/h2>\n<p>In the latest update, we\u2019ve also added to our SIEM system normalizers that allow you to work with the following event sources:<\/p>\n<ul>\n<li>[OOTB] OpenLDAP<\/li>\n<li>[OOTB] Avaya Aura Communication Manager syslog<\/li>\n<li>[OOTB] Orion soft Termit syslog<\/li>\n<li>[OOTB] Postfix<\/li>\n<li>[OOTB] Barracuda Web Security Gateway syslog<\/li>\n<li>[OOTB] Parsec ParsecNET<\/li>\n<li>[OOTB] NetApp SnapCenter file<\/li>\n<li>[OOTB] CommuniGate Pro<\/li>\n<li>[OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog<\/li>\n<li>[OOTB] Yandex Cloud<\/li>\n<li>[OOTB] Barracuda Cloud Email Security Gateway syslog<\/li>\n<\/ul>\n<p>Our experts have also improved normalizers for these sources:<\/p>\n<ul>\n<li>[OOTB] Yandex Browser<\/li>\n<li>[OOTB] Citrix NetScaler syslog<\/li>\n<li>[OOTB] KSC from SQL<\/li>\n<li>[OOTB] Microsoft Products for KUMA 3<\/li>\n<li>[OOTB] Gardatech Perimeter syslog<\/li>\n<li>[OOTB] KSC PostgreSQL<\/li>\n<li>[OOTB] Linux auditd syslog for KUMA 3.2<\/li>\n<li>[OOTB] Microsoft Products via KES WIN<\/li>\n<li>[OOTB] PostgreSQL pgAudit syslog<\/li>\n<li>[OOTB] ViPNet TIAS syslog<\/li>\n<\/ul>\n<p>You can find the full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform version 3.2 in the <a href=\"https:\/\/support.kaspersky.com\/help\/KUMA\/3.2\/en-US\/255782.htm\" target=\"_blank\" rel=\"noopener\">technical support section of our web site<\/a>, where you can also get more information about correlation rules. We\u2019ll continue to write about improvements to our SIEM system in future posts that can be found via the <a href=\"https:\/\/www.kaspersky.com\/blog\/?s=siem\" target=\"_blank\" rel=\"noopener nofollow\">SIEM tag<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Rules for detecting atypical behavior in container infrastructure at the data collection stage, and other updates to our SIEM system.<\/p>\n","protected":false},"author":2757,"featured_media":23485,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[499,2097],"class_list":{"0":"post-23484","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-products-2","10":"tag-siem"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/siem-update-q3-2024\/23484\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/siem-update-q3-2024\/28230\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/siem-update-q3-2024\/28369\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/siem-update-q3-2024\/38478\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/siem-update-q3-2024\/52530\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/siem-update-q3-2024\/28452\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/siem-update-q3-2024\/34326\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/siem-update-q3-2024\/33949\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/siem\/","name":"SIEM"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2757"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23484"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23484\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23485"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}