Supporting data represents types of data utilized to support a solution eventually achieving a business objective. These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve success.
DS001MAIL — Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations.
DS002DNS — The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources for particular domains, such as a company or governme
DS003Authentication — Authentication systems establish the identity of an actor using one or more secret values i.e.
password and one time pin. The authentication system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured resource.
DS004EndPointAntiMalware — The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage.
DS005WebProxyRequest — Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events can potentially be used in detective correlation.
DS006UserActivity — User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the targets of activity.
DS007AuditTrail — Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point in time.
DS008HRMasterData — Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often includes time and attendance records. HR systems often feed payr
DS009EndPointIntel — In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware signatures, etc.), all of which is useful
DS010NetworkCommunication — Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems.
DS011MalwareDetonation — Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach detection and prevention capability DS012NetworkIntrusionDetection — What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls – IDS by exposing successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater intelligence about all attacks. Likewise, IPS is typic
DS013TicketManagement — Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.
DS014WebServer — Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with extension modules. Web Server logs are criti
DS015ConfigurationManagement — Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems
can provide valuable security investigations by providing information about who and what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to identify windows of vulnerability.
DS016DataLossPrevention — Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.
DS017PhysicalSecurity — Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to employee badges; however, locations with stringent security
requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As digital systems, badge readers record information su
DS018VulnerabilityDetection — An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services running by default, even when they aren't required for a particular server. The
DS019PatchManagement — Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches.
Although commercial apps and OSs often have embedded patching software, some organizations use independent patch management software to consolidate patch management and ensure the consistent application of patches across their software fleet and to build patch jobs for custom, internal applic
DS020HostIntrustionDetection — Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the environment.
DS021Telephony — Real-time business communications no longer are limited to voice calls provided by Plain Old
Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss, making service quality and reliability much more sensitive to network condi
DS022Performance — Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and unusual events. By registering myriad system
parameters, performance logs also can highlight mismatches between system capacity and application requirements, such as a database using all available system memory and frequ
DS023CrashReporting — Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure of business services.
DS024ApplicationServer — Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain a wealth of information created when users and systems interact.
Anomalies in the logs can indicate potential failures or compromise attempts.
How to read the Supporting Data View
Each data source represents a parent type of event and can contain zero or more specific event types for use by use case narratives and providing technologies.
Consuming use cases
Consuming use cases are listed based on a dynamic search grouped by Adoption Phase Customer listing filtered for APC-Essential and APC-Mat uring
Provider Types
Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases identified.
DS001MAIL
Introduction
Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations.
Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation
Utilize email log events in contribution of other events to identify potential actors involved in targeted activity Utilize email log events to identify additional possible victims of email based attacks
Utilize email log events to establish a timeline of who, when and what when investigating internal activity Legal compliance
Utilize email logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.
Available Continuous Monitoring Use Cases
Essentials
Found search result(s) for 3 title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL".
UCESS053 Threat Activity Detected(Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
UCESS031 Host Sending Excessive Email(Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate ...
May 02, 2016
UC0003 Server generating email outside of approved usage(Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ...
Apr 19, 2016
Maturing
Found search result(s) for 2 title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-*".
UC0077 Detection Risky Referral Domains(Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ...
Jun 24, 2016 Labels: creative
UC0004 Excessive number of emails sent from internal user(Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Mature
Found search result(s) for 2 title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-*".
UC0077 Detection Risky Referral Domains(Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ...
Jun 24, 2016 Labels: creative
UC0004 Excessive number of emails sent from internal user(Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Providing Technologies
Found search result(s) for 3 title:PT* contentBody:"DS001MAIL".
PT001-Microsoft-Exchange(Narrative and Use Case Center)
... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0 DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication
01MAIL
Authentication occurs for Administrative action Active Sync ...
Apr 01, 2016 Labels: provider-type
PT003-ExtraHop-SMTP(Narrative and Use Case Center) ... Provides DS001MAIL providertype
Feb 05, 2016 Labels: provider-type
PT002-Splunk-Stream-SMTP(Narrative and Use Case Center) ... Provides DS001MAIL providertype
Feb 05, 2016 Labels: provider-type
DS002DNS
The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources for particular domains, such as a company or government agency or by acting as caching servers that store DNS query results for subsequent lookup by users in a specific location or organization; for example, a broadband provider caching addresses for its customers.
Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify potential command and control systems
Forensic Investigation
Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity Utilize communication log events to identify additional ingress and egress points
Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments Utilize communication log events to establish a timeline of who, when and what when investigating internal activity Legal compliance
Utilize communication logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is subject to expansion and clarification over time.
Consuming Use Cases Essentials
Found search result(s) for 1 title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS".
UCESS053 Threat Activity Detected(Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found search result(s) for 7 title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS".
UC0089 Detection of Communication with Algorithmically Generated Domain(Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware creative,
UCESS019 Excessive DNS Queries(Narrative and Use Case Center)
Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016
UCESS018 Excessive DNS Failures(Narrative and Use Case Center)
Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016
UC0072 Detection of unauthorized using DNS resolution for WPAD(Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016
UC0081 Communication with unestablished domain(Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0076 Excessive DNS Failures(Narrative and Use Case Center)
endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0049 Detection of DNS Tunnel(Narrative and Use Case Center)
Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found search result(s) for 7 title:UC* contentBody:"APC-Mature" contentBody:"DS002DNS".
UC0089 Detection of Communication with Algorithmically Generated Domain(Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware creative,
UCESS019 Excessive DNS Queries(Narrative and Use Case Center)
Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016
UCESS018 Excessive DNS Failures(Narrative and Use Case Center)
Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016
UC0072 Detection of unauthorized using DNS resolution for WPAD(Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ...
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ...