In the previous two blog posts, we showed how easy it is using the JASK API to generate event management efficiency metrics.
In this post, we will cover how to use the JASK API to identify gaps in rule coverage. It is pretty easy to show how many times a rule fired or how many rules fired across the different phases of an attack lifecycle. It is not as easy to show where organizations might have gaps and where they could improve their rule coverage. The reason why is most SIEM rules are stored in a separate data store than the events themselves, which means they cannot be queried very easily — or at all. A lot of times, organizations have a hard time just getting a count of the number of rules they have in production. JASK is transforming this dynamic with its Open API. Let’s see how we can do it!
First, let’s take a quick view of the rules API and the different ways you can use it.
1) Download https://github.com/bradjasper/ImportJSON/blob/master/ImportJSON.gs and install it as a script in Google Sheets.
2) Get API KEY from the JASK Portal.
3)Insert the following into a cell in Google Sheets. This query will list out the rules only, by their categories.
4) Next, create a column with the different phases of the MITRE ATT&CK, and create a simple function to count the rules in each category. The ones labeled as Attack Stage can be ignored for now, because that is for testing rules.
5) Now, we turn this into a chart and have the following:
A SOC manager can now take this and clearly see they have gaps at the Collection phase and Initial Access phase from a rules perspective. The gaps could be for a few different reasons. Maybe there were no rules created because it was unknown that there were no gaps, or maybe the security tools that are in place are not feeding the SIEM. Better yet, it could be that there aren’t yet any tools in place in the organization to get visibility into those phases. This can be used in a number of different ways, and the question of whether your organization knows where it might or might not have gaps in rule coverage is now answered. In addition, SIEM content should always be evolving, just like threats.
Once again, the table above can be added to a Google slide where the organization’s SOC metrics reside, where it will be automatically updated each month:
There are several other things that can be done with the JASK rules API, like enabling or disabling a rule, getting a full list of rules and their description, and much more.
Find out more information on the JASK API on GitHub.
Steven Dietz is technical director of field operations at JASK. With over 18 years of information security experience ranging from being an analyst to building world-class security operations, he demonstrates to potential customers how and why to use JASK products.