The evolution of the SIEM system

We’re expanding the capabilities of the Kaspersky Unified Monitoring and Analysis SIEM system by adding new normalizers and correlation rules.

Kaspersky SIEM: normalizers and correlation rules

A security information and event management (SIEM) system can’t remain static; its detection logic needs to constantly evolve. The threat landscape is ever-changing, which means you need to keep adding new rules regularly for effective data analysis. Admittedly, the bulk of correlation rules are inevitably fine-tuned by the internal information security team, but having up-to-date rules out of the box is crucial in easing this process. Another important point is that an SIEM system must be capable of adapting to the evolution of the corporate IT infrastructure, and be prepared to use new event sources – each of which often requires a new normalizer (the mechanism for converting data from arbitrary sources to a single format). We’re constantly working on this, adding new normalizers and correlation rules to the Kaspersky Unified Monitoring and Analysis Platform. This post details what was added in version 3.0.3.

New and refined normalizers

In between versions 2.1 and  3.0.3 of the Kaspersky Unified Monitoring and Analysis Platform, we released 99 update packages with new or improved normalizers. These include 63 updates that provide support for new event sources, and 38 that improve existing normalizers by adding support for new event types and making various refinements and fixes. The remaining updates contain continuously enhanced correlation rules, filters, and other usability-oriented resources.

Other new additions include normalizers that introduce support for the following event sources:

  • Cisco Prime, for Cisco Prime 3.10 events received through syslog
  • PowerDNS, for processing PowerDNS Authoritative Server 4.5 events received through syslog
  • Microsoft Active Directory Federation Service (AD FS), for processing Microsoft AD FS events. The normalizer provides support for this event source starting with Kaspersky Unified Monitoring and Analysis Platform version 3.0.1
  • Microsoft Active Directory Domain Service (AD DS), for processing Microsoft AD DS events. The normalizer also provides support for this event source starting with Kaspersky Unified Monitoring and Analysis Platform version 3.0.1
  • NetApp ([OOTB] NetApp syslog, for processing NetApp ONTAP 9.12 events received through syslog; and [OOTB] NetApp file, for processing NetApp ONTAP 9.12 events stored in a file)
  • RedCheck Desktop, for processing RedCheck Desktop 2.6 logs stored in a file
  • MikroTik networking hardware
  • PostgreSQL DBMS
  • VMware ESXi
  • Microsoft 365

In addition, our experts have refined the following normalizers:

  • For Microsoft products: revised the normalizer structure and added support for new products and additional event types
  • For PT NAD: implemented support for events of the current product version
  • For UNIX-like operating systems: implemented support for additional event types
  • For Juniper networking devices: made significant normalizer revisions and optimizations
  • For Citrix NetScaler: implemented support for additional event types

Updated correlation rules

We’ve significantly improved the content of all existing correlation rules in the SOC Content package, while focusing on validating rule logic and refining the rules with inputs from our customers’ real-life experiences. We’ve also improved the quality of the rule descriptions, including incident description rules.

Along with updating the Russian-language SOC Content package, we’ve also released a full-fledged English-language SOC Content package, fully synchronizing its content with the Russian version. From now on, we plan to update the two packages in sync.

The platform now offers over 500 rules, along with further essential tools such as active lists, filters, and dictionaries.

Correlation rule format

We’re planning to add markup for existing rules soon in accordance with MITRE ATT&CK® tactics and techniques. This will expand the system’s capabilities to visualize the level of protection against all known threats.

When choosing avenues for development, we generally align with the MITRE ATT&CK® knowledge base – the de facto industry standard. We also consider feedback from our customers that we get during pilots, integration projects, consulting sessions, or even in emails received by account managers, as well as the experiences of our own SOC – one of the most successful and skilled teams in the industry.

How updates are delivered to the SIEM system

All the content we develop is distributed through the Kaspersky Update Servers subsystem to shorten delivery times. The subsystem requests updates and notifies of them in automated mode, but lets the operator decide on applying these. This helps administrators receive information about available updates quickly, review the contents of each update, and decide whether to introduce new resources in the infrastructure or update existing ones.

The update subsystem significantly expands the capabilities of the Kaspersky Unified Monitoring and Analysis Platform to respond rapidly to changes in the threat landscape and infrastructure. The option to use it without direct internet access ensures that data processed by the SIEM system remains secure and within the perimeter, while users can get the latest system content updates.

The complete list of event sources supported in Kaspersky Unified Monitoring and Analysis Platform 3.0.3 is available in the technical support section, where you also can find information about the correlation rules. Of course, our SIEM updates aren’t limited to new normalizers and detection logic: we recently wrote about UI enhancements and routine automation.