<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">
Alienvault USM Anywhere Logo
Skip to content

Use Context to Craft Custom Rules That Improve Exabeam Performance: Part 1

Blog

July 5, 2022

Find out how to optimize operational security by building and maintaining highly customized rulesets. 

Exabeam is a powerful security information and event management (SIEM) platform that enables analysts to detect and mitigate a wide range of threats. It can identify external threats like malware and ransomware as well as internal threats like malicious insiders and compromised accounts. 

While the platform offers a great deal of functionality out of the box, it truly shines when it is customized to fit the unique risk profile of the organization it protects. Custom rules allow analysts to dramatically reduce enterprise risk by specifically targeting high-risk vulnerabilities specific to their IT environment. 

 

Custom Rules Require In-Depth Visibility 

Most organizations that have a SIEM use the platform to monitor their environment, detect threats, and report on their security posture. To optimize these processes with custom rules, security leaders need to be able to see exactly how their SIEM works on a deep, granular level. Not all managed detection and response vendors allow this, which can make harnessing the full power of your SIEM platform a challenge. 

Castra’s Glass Box approach provides the unlimited visibility necessary for security leaders to dive deep into their SIEM platform and see exactly what rules are in place at any given time. It provides a clear window into how those rules change over time and gives analysts precise information about what to expect from the alerts they receive. 

 

Discover Users, Assets, and Applications 

In a typical IT environment, there are a few elements that are the subjects of monitoring and the targets of attacks:  

  • Users 
  • Assets 
  • Applications 

The more security leaders know about their users, assets, and applications, the better their custom rulesets can be. This type of information is not included in the logs that SIEM solutions process, so it must be derived contextually from outside the log reporting and management system.  

At Castra, we call this kind of behind-the-scenes metadata Context. Effective custom rule management demands clear, actionable knowledge about where this data comes from and how it gets processed.  

In many cases, context comes from directory services like Active Directory or the Lightweight Directory Access Protocol (LDAP). It may also come from a cloud-based directory service like Google Workplace or Okta. 

This contextual metadata offers crucial information about users, assets, and applications. It can tell analysts who those users are, where those assets are located, or what that application’s role is. All of this information helps analysts make better decisions about the logs reporting their activities. 

 

Teach the System to Recognize Network Zones and Groups 

The next step in creating custom rules involves teaching the SIEM to correctly categorize events in terms of the various network segments that define its IT environment. Even in an all-cloud environment, security professionals need to know how different users, assets, and applications interact with one another in order to build successful customized rulesets. 

Custom rulesets should also distinguish between groups of assets that behave in a similar way. Asset groups give analysts the ability to quickly identify the key details of the users, assets, and applications they are looking at and provide relevant context for that process. 

For example, an employee using virtual desktop infrastructure may log into one server in the morning, a different one after their lunch break, and yet another through a VPN while traveling later that week. If the SIEM doesn’t know how to cluster this behavior together in the context of an asset group, it might trigger an alert, assuming a threat actor is trying to enumerate the environment.

 

📊 Learn how to 

How to Configure Your Windows Audit Policy to Optimize SIEM Performance

Get started.

 

Peer groups work in much the same way. Individual users have a set of relationships with other users, assets, and applications. These relationships can expand beyond their individual accounts and hardware devices. A good customized SIEM ruleset must take this user-specific contextual data into account. The same goes for automated service accounts that constantly interact with different parts of Its infrastructure. 

 

 

 

Curate and Improve Contextual Data to Inform Custom Rulemaking 

Data can be improved, and the process of enriching data can provide important insight into how individual users, assets, and applications should interact in an IT environment. In the next part of this series, we’ll cover some of the ways Castra interprets and enhances data to inform the custom rulemaking process it uses to maximize SIEM performance. 

 

Ready to learn more about Castra's Glass Box approach to customization? Get in touch today.