¶ What is Custom Enrichment?
When investigating potential cyber incidents, it is vital to collect relevant context about the event. This enables you to make data driven remediation decisions quickly and confidently.
The SOC.OS platform provides two different types of context:
- Threat Intelligence Data - SOC.OS automatically enriches alert metadata (such as external IP addresses and hostnames) with 3rd-party threat intelligence feeds.
AbuseIPDB has identified the external IP address
212.70.149.71as having an abuse confidence score of 100%.
- Custom Enrichment - SOC.OS allows users to configure custom enrichment information. This adds business context to the metadata of alerts processed by the SOC.OS platform.
The internal IP address
10.0.1.92is our domain controller.
Custom enrichment is configured by creating:
- Tags - Tags are custom labels
- Identifiers - Identifiers are the criteria that must be met for the tag to be applied.
For example, you could create a tag server:smtp with an identifier smtp.mydomain.com. When SOC.OS processes an alert that contains the domain smtp.mydomain.com, the domain is mapped to a SOC.OS entity. That entity is then tagged with server:smtp.
¶ Benefits of Custom Enrichment
Custom enrichment allows users to configure how SOC.OS will behave when processing certain alerts or entities. You may choose to configure:
- Custom Scoring - Custom enrichment enables users to increase or decrease the score of any alert that a tag appears in. This allows you to move clusters involving business critical assets to the top of the priority-ranked investigation workbench.
- Custom Correlation - Custom enrichment can be used to prevent SOC.OS from combining alerts into a single cluster when the alerts only correlate on a certain tagged entity. This allows you to prevent large clusters from being created when, for example, the only entity they share is a common piece of infrastructure, like a proxy server.
- To prevent correlation on an entity, create a tag and identifier for the entity and ensure the Correlate switch is set to NO. For more information, see the Adding Custom Enrichment section below
In addition to the above, tags that are added during custom enrichment are:
- quickly searchable using a dedicated tags search criteria.
- easy to monitor using the Tagging Dashboard widget.
- clearly identifiable on the investigation workbench and cluster visualisation pages - consistent colour coding of tags is used throughout the SOC.OS tool.
¶ Adding Custom Enrichment
Custom enrichment is configured in the Settings section of the SOC.OS tool. A detailed breakdown of the custom enrichment screen is shown in the image below.
¶ Tags
A tag is a custom label set by the user. They consist of a name and value separated by a colon, name:value. These labels are applied as an attribute on an entity.
In the annotated screengrab above, the tag server:domain controller has been created.
Example tags could be:
department:finance,server:credit-processingorestate:north
¶ Tag Configuration
The score multiplier, correlation status and colour of a tag can be configured.
- Score Multiplier - The score of an alert is multiplied by this value if the tag is identified in that alert. For example, a score multiplier of 2 will double the score of each alert that contains your custom tag.
- Correlation Status - If set to yes, SOC.OS will use entities that match this tag (and all un-tagged entities) when trying to correlate alerts together. If set to no, SOC.OS will not use the tagged entities when attempting to correlate alerts.
- Tag Colour - This colour will be used to display the tag throughout the SOC.OS tool.
¶ Identifiers
Continuing with the example shown above, in order for SOC.OS to successfully apply the server:domain controller tag, the user must add an identifier which identifies the domain controller.
There are 3 types of identifiers: Regex, Text and IP Address/IP Range.
- Regex Identifier - A regex identifier will apply the associated tag(s) to any alert or entity with a kind, value, attribute name or attribute value that passes the supplied regex.
E.g. the regex identifier
/.*\.mydomain\.[com|co\.uk]/will apply the associated tag(s) to any entity that is a subdomain ofmydomain.comormydomain.co.uk, or any entity that references it in a property.
- Text Identifier - A text identifier will apply the associated tag(s) on any alert or entity with a kind, value, attribute name or attribute value that contains the supplied text.
E.g. the text identifier
My Alert Typewill apply the associated tag(s) to an alert with an attributealert typewith the valueMy Alert Type.
- IP address/IP range identifier - An IP address/IP range identifier will apply the associated tag(s) to any IP address entity that has a value equal the supplied IP address, or is within the supplied IP CIDR range.
E.g. the IP address identifiers
1.2.3.4and1.2.3.4/0will both apply their associated tag(s) to the IP address entity1.2.3.4.
Note - many tags can be associated with a single identifier. In the above example, the 10.0.1.92 IP Address identifier is associated with the domain controller tag. It could also be associated with a tag estate:north, for example. When this IP address is analysed, SOC.OS would then tag it as server:domain controller and estate:north.
Similarly, a tag can be applied to many identifiers. For example, the tag estate:north could be applied to an IP Address identifier with value 10.0.1.92 and a regex identifier with value /.*\.scot\.mydomain\.co\.uk/.
¶ Examples
Below are tables of example tags and identifiers for each identifier type. These aim to illustrate some common use cases for custom enrichment.
¶ IP address/IP range identifier
| Tag | Identifier Value |
server:remote access |
10.158.4.7 |
server:proxy |
192.168.84.7 |
server:audit logging |
172.16.5.4 |
network:dmz |
192.168.1.0/28 |
¶ Text identifier
| Tag | Identifier Value |
admin users:bsmith |
bsmithadmin |
alert action:detected |
detected |
source system:my-source-system |
my-source-system |
¶ Regex identifier
| Tag | Identifier Value |
region:uk |
/uk\.[a-zA-Z\-]*\.mydomain\.co\.uk/ |
dept:IT |
/.*\.it\.mydomain\.com/ |
Take a look at the demo video and product sheet for more information.