This week at JASK, we introduced templated rules to our customers. Templated rules make it easy for customers to create a single rule for a data source that has multiple event types. It also allows customers to normalize event severity into the JASK severity levels. Let’s walk through a quick example of how templated rules work.
In the example on the right, we give the signal a name and with the curly brackets, we can pass through information from the record. In this case, log_meta.device_event_ID can be Network, API, File_Create, Create_Process, or Registry Access.
In the past, five separate rules may have been required, but with the templated match only one is needed. We also pass through the message field, which is a description of the event. Lastly, we assign the severity value from a field called extra.alertScore. Since CB Defense has a severity level of 1 to 10, there is nothing more we need to do here.
Now, when the rule triggers, we can see everything that was passed through. An analyst can see it is a CB – Suspicious FILE_CREATE event with a good description of PowerShell being used with a severity level of 2.
In many cases, security vendors utilize different severity levels. Some use High, Medium, Low and others use 1-5. At JASK, we measure signal severity level from 1 – 10. We have built in a way to map severity levels from a field in order to more easily correlate with security products that use a different scale.
For example, the example to the right takes the field event_severity where we are expecting a record value of Medium and maps it to a signal severity of 5. JASK can also add more record values if needed.
Templated rules provide customers with an easy way to pass through 3rd party alerts/events from different vendors without having to create rules for each event type.
Steven Dietz is technical director of field operations at JASK. With over 18 years of information security experience ranging from being an analyst to building world-class security operations, he demonstrates to potential customers how and why to use JASK products.