Life Cycle of an Alert

Introduction

This article reviews the Life Cycle of an Alert, to help you better understand how to:

  1. Create a rule
    • Severity 2 alert for every 5 privilege escalations that happen in an hour.
  2. Maximize the effectiveness of that rule
    • By defining the aggregations, alert thresholds, and a time window.
  3. Review an alert
    • The alert details show the specific behaviors and events that help you determine if any further analysis and action is necessary.
  4. Resolve an alert
    • Reviewed and acknowledged a particular behavior, or set of behaviors. Then dismiss or suppress that alert.

Use Case

You want to create a rule that shows a Severity 2 alert when 5 `sudo` commands happen in an hour. This rule has Threat Stack generate an alert anytime a user escalates their privileges on the monitored host using the `sudo` command.

The alert life cycle starts when you create a rule on the Threat Stack Rulesets page.

Part 1. Create a Rule

You want to create a Severity 2 alert for every 5 privilege escalations that happen in an hour.  

Every rule must include the following components:

  1. Rule Name - description of the rule.
  2. Alert Title - the name and substitutions (*dynamic content) that adds context to the alert.
  3. Description - the severity of the alert it generates.
  4. Filter - the criteria the filter is using to decide if an alert should display.
  5. Severity - three levels of behaviors to indicate the severity of the alert.

NOTE: *You should select the aggregation fields that match the substitution fields (Example: if you want to substitute `exe` and `user` dynamically with the `user` and `executable`, then you should select `user` and `exe` as the aggregation fields). See the “Part 2: Maximize the Effectiveness of the Rule” section for additional information on aggregation fields.

In this example, Threat Stack has you clone an existing Privilege Escalations rule in the Base Rule Set and modify it. To clone an existing rule, go to the Rulesets page:

1. Click the New Rule button, on the Add Rule fly-in, select the Clone Existing Rule option.

1_click_new_rule.png

2. Search and select the existing Privilege Escalation rule and click the Clone 1 Rule button.

4_select_rule.png

3. On the left side of the page, confirm the Severity of alerts associated with the Rule.

If necessary, change the severity level by clicking the severity button to [2].

Severity_Level.png

4. On the right side of the page, edit the following fields:

  • Rule Name
  • Alert Title
  • Alert Description

Example: “Sudo five in an hour {{exe}} by {{user}} with arguments {{arguments}}”

6_edit_details.png

5. In the Aggregation fields, confirm you have the correct aggregations selected.

6. Change the frequency to “5 times” and the time window to “1 hour”.

7_aggregate.png

7. Click the Update Rule button to save these details.

8_update_rule.png

8. Scroll to the Rule Filter section, and click the Filter (Required) field.

9_update_rule_filter.png

9. Enter the `command` and `type`.

Example: The filter criteria includes command = ”sudo” and type = ”start”.

10. Click the Update Rule Filter button

10_click_update.png

You created a new rule!

Part 2. Maximize the Effectiveness of the Rule

When you create a rule you have the option to select aggregations, alert thresholds, and a time window.

Aggregation field - defines the uniqueness of the alert.

Within our example, we had you select `execute` and `arguments` as aggregations. This means, if a user executes the same command within the same argument more than once, Threat Stack considers it an identical event and updates the original alert within the alert threshold.

Alternatively, within the context of aggregation, if a user uses the same execution but enters a different argument a new, unique alert displays because Threat Stack considers it a different alert.

A_1_aggregate.png

Alert Thresholds - counts the number of times an event matches the defined filter and aggregations and then displays an alert only after the count matches the alert criteria.

Within our example, we had you set the alert threshold as "5 events in a 1 hour period". This means, if a user executes the same argument 5 times within an hour then Threat Stack generates only 1 alert.

A_2_alert_threshold.png

Time Window - the span of time specified to generate an alert based on the number of times an event was executed.

Within our example, if the same alert generates more than once within a time window, Threat Stack would update the existing alert, instead of generating a new alert. When Threat Stack updates an existing alert, it attaches the event to the alert record for you to review.

You can learn more about the Alert components on the Threat Stack application UI in the Threat Stack Alerts UI section of this page.

A_3_time_window.png

Review Alerts within Threat Stack

At this point you have created a rule and specified the criteria for an alert. Now we can review what an alert looks like on the Alerts page if an event triggers it.

The Alerts Page

As a reminder, the Alerts page contains:

  • Organized view (default and customizable tabs)
    • By default, Threat Stack sorts alerts by severity, type, active, or dismissed.
  • Search field
  • Alert Trends over time (histogram)
  • Alert information table and filter rule and ruleset details

NOTE: See the Alert Page Functionality Review article for more in depth definitions of each section.

C_2_alerts_page.png

Reviewing Alerts

We recommend using the Alert Trends histogram to navigate to alert spikes. This can help you access alert details and additional information quickly and efficiently.

In the Alert Trends, you can drag the bracket along the histogram to the desired time period and view the behaviors that caused the alerts. As the bracket moves, the information in the right hand filter, Filter by Rule and Filter by Ruleset, changes to display relevant information, including the raw alerts related to the behaviors in the body of the alerts. It also shows the specific behaviors and events that help you determine any further analysis and action.

C_3_Alerts_spike.png

Alert Details Information

You can see Alert information in the Alerts Table, including:

  1. Executable
  2. Arguments
  3. User

C_4_alert_rule_details.png

Select an Alert to view more alert event information.

C_5_select_alert.png

Within the Alert Event Details, you can find additional information on the events contributing to the alert. Including the:

1. Timestamp:

  • A) The first event that triggered the alert (the timestamp default).
  • B) The last event that contributed to the alert.

2. Contributing Events - contains, up to the last 5, contributing events related to the alert.

C_5_events_contrib.png

To review additional details about “Contributing Events” click the View Contributing Events link. Clicking the View Contributing Events link displays the last 5 contributing events in chronological order with first event on top.

C_6_events_display.png

Resolving Alerts

On the Alerts page, you can view, suppress, and dismiss alerts. The Dismiss Alert functionality enables you to acknowledge particular behavior and track the dismissed alerts for compliance.

What’s the difference between Dismissing an Alert and Suppressing an Alert?

When you dismiss an alert it removes it from the view, if the behavior happens again the alert displays again.

Suppressing an alert whitelists the behavior, this means you will not see the alert again. So, if you suppress an alert it indicates that you don’t want to receive alerts about the behavior at all. See the Add an Alert Suppression article for more information.

Dismissing an Alert

Dismissing an alert means that you reviewed and acknowledged a particular behavior, or set of behaviors. From a compliance standpoint, a record of dismissed alerts shows an auditor that you reviewed and acknowledged particular behaviors.

NOTE: You don’t dismiss at the alert level, you dismiss alerts at the rule level.

To dismiss an alert, or multiple alerts, go to the Alerts page:

1. On the Alerts page, using the Alert Trends histogram navigate an alert spike.

A_Sev3_bracket.gif

2. Review the Filter by Rule section to see what Rule Filter that caught the alert behavior.

(in this case it is the {{exe}} activity :{{arguments}} ran by {{user}} behavior)

3 Select a specific alert to review the contributing events and see why the behavior happened.

A_2_alert_details.png

4. Select the checkbox, the Actions section displays on the right.

5. Select your Dismiss Alert Reason and click the Dismiss [#] Alert button.

A_4_Alert_Dismiss.gif

You can review dismissed alerts on the Dismissed Alerts tab.

D_1_dismissed_tab.png

Summary

This article walked you through the life cycle of an alert from rule creation to alert resolution.

  1. Create a rule
    • Severity 2 alert for every 5 privilege escalations that happen in an hour.
  2. Maximize the effectiveness of that rule
    • By defining the aggregations, alert thresholds, and a time window.
  3. Review an alert
    • The alert details show the specific behaviors and events that help you determine if any further analysis and action is necessary.
  4. Resolve an alert
    • Reviewed and acknowledged a particular behavior, or set of behaviors. Then dismiss or suppress that alert.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.