How to Think as a SOC Analyst!

Zafar Iqbal

Follow

4 min readJul 6, 2021

--

msszafar/SOC_Detection_RuleSet_using_ELK

SOC Usecases / rules for elasticsearch Custom Usecases of SOC against each datasource (i.e firewall, domain controller…

github.com

This post is for SOC / IR analysts. In Security Operations Center (SOC), we use a SIEM solution (i.e QRadar, Alienvault, Splunk, ELK) that collects logs data from multiple data sources (i.e AD, WAF, Email, Proxy, Firewalls, Web Servers, DB’s, Nix, Windows Servers). SOC analyst performs analysis to find out what is happening in an infrastructure. We’ll cover the analysis stuff of each log source in detail but today I’m going to write on how to perform analysis of Fortigate Firewall Logs. This post will also guide you on how to build your custom ruleset and how do I think when I do that?

What types of FortiGate logs are coming in my SIEM solution? (only top 3)

“Traffic”, “Event”, “UTM”

Ok! let's choose type = “event” and see what subtypes are associated with it? (only top 3)

“vpn”, “user”, “system”

Lets analyze if type = “event” & subtype = “vpn”. I can see all VPN-related activities of the last 90 days' logs.

“SSL vpn tunnel up”, “ssl vpn tunnel down”, “negotiate ipsec phase 1”, “progress ipsec phase 1”, “ipsec phase 1 SA deleted”, “negotiate ipsec phase 2”, “progress ipsec phase 2”, “ipsec phase 2 SA deleted”, “ipsec tunnel statistics”, “IPsec connection status changed”, “IPsec ESP”, “SSL VPN deny”, “SSL VPN login fail”,

Let’s take a pause, please …

Just ask yourself what is your event of interest and why? Like what activity you would like to explore more and why?

I (as a security analyst) will first choose “SSL VPN tunnel up” (i.e someone is using FortiGate client) and then these two “SSL VPN deny” and “SSL VPN login fail” would also be my event of interest. Let’s see which VPN users are making successful VPN connections?

Hey, 60 unique VPN users had established an SSL VPN tunnel with my firewall. Ok! which region do they belong to? Ohh. Some are from China, the US, Russia, UK. Why?? See what is the source IP address? Is it bad reputed or clean (See VT, Hybrid Analysis, IPVoid, OTX)? If the source IP is not bad reputed then do you need to ask your FortiGate administrator about the legitimacy of these VPN user accounts? Check the frequency of login attempts?

Creation of Usecases

Count of VPN user accounts in the firewall? Region / Country?
Frequency of successful login attempts?
Map public IP with VPN user name and see if there is anything anomalous? It means to see if there are more than 1 user accounts making a successful VPN tunnel with my firewall or one VPN user associates with one public IP?
Monitor VPN deny attempts
Monitor VPN failed login attempts

How should I monitor these use cases?

Create Rules in SIEM

1- VPN User Count / Anomaly:

Create threshold rule like if 50 VPN users establish SSL tunnel VPN in last 24 hrs then you can set threshold value “60”. Create a rule to detect if VPN users' count increases more than 60.

Threshold Rule Created in ELK (Fortigate logs are being ingested through filebeat)

Alert me if any new user account establish a VPN tunnel

Query Rule Created in Kibana (Fortigate logs are being ingested through filebeat)

2- Region / County:

Hey, I know these X numbers of countries establish SSL VPN tunnels. Alert me if you see any new country name

3- Login Attempt Frequency:

This use case is very important. Fortigate logs say that any vpn user normally attempts 5(max) SSL VPN sessions in a day but if I see more than 10 SSL VPN tunnels established then what does it mean? Either the VPN credentials have been compromised or someone is happening suspicious that need to be investigated.

Threshold Rule Created in Kibana (Fortigate logs are being ingested through filebeat)

Here in this picture, the rule states that alert me when VPN user “A” establish VPN tunnel more than 10 times.

4- Mapping of Public IP to VPN username:

VPN user account “A” always establishes a VPN tunnel with public IP “1.2.3.4” and similarly username “B” comes with IP “5.6.7.8” and username “C” comes with IP “9.10.11.12”. So alert me when these users creates a VPN tunnel with any new IP.