topic Re: Excluding an alarm between two host groups in Security Analytics

Excluding an alarm between two host groups

stipend — Mon, 03 Apr 2023 18:23:29 GMT

We have a "Exfiltration" alarm that triggers between several source hosts and a single target host. For example, I've created a host group A for the source hosts and host group B for the target hosts.

How can I stop the "Exfiltration" alarm from triggering between the two host groups? I tried relationship, role, and single host policy but all of them only allow me to specify the action to take for a single host group.

Is there any way to specify when A host group is source and when B host group is Target to ignore the alarm?

Re: Excluding an alarm between two host groups

jamegill — Fri, 14 Apr 2023 16:38:20 GMT

Hi @stipend - Are both of the host groups in this example under Inside Hosts?

Before we get too much further, let's skip the Exfiltration Alarm because it is a Category Alarm. Instead, let's talk about the Suspect Data Loss Security Event that is responsible for it. (For a discussion on the difference between Category Alarms and Security Events see this thread)

In The 7.4.2 documentation for Alarms & Events covering the Suspect Data Loss event the Suspect Data Loss event is explicitly looking for traffic between inside and outside host groups.

--jg

Re: Excluding an alarm between two host groups

stipend — Fri, 14 Apr 2023 16:50:59 GMT

Sorry not sure why I put Exfiltration. The alarm is actually for Slow Connection Flood.

Yes both these host groups are in Inside Hosts. They are both inside host groups that communicate with each other and have legitimate traffic. I would like exclude the Slow Connection Flood between these two groups.

Re: Excluding an alarm between two host groups

jamegill — Fri, 14 Apr 2023 17:30:38 GMT

Ok, you have a couple of options. As discussed here the configuration option for When host is [target | source] can be set to just "on" instead of "on + alarm" so the individual event does not create an alarm for each event, but rather only for the Category Alarm.

The next option would be to create a Relationship Alarm for these two hosts. I will come back with a longer post later on how to do that (fact: Relationshop Alarms are my favorite feature of SNA that nobody really knows about).

Quick start, though -

create a new Network Diagram (look under the Dashbaords menu), add just the host groups in question
create an edge (line) between the groups. tweak the diagram to suit your liking (or don't, you can edit it later)
save the diagram
right-click on the line between the groups, select Policy Management
You're now editing the policy that only applies to the traffic between the two groups
click on Select Events and choose the individual policies for behaviors you want to monitor for here.
(yes, the policy types are more general than with the Core Policies, but you can get pretty close)

--jg

Re: Excluding an alarm between two host groups

stipend — Tue, 18 Apr 2023 13:35:22 GMT

I tried the Relationship Alarm but I found that to be too generic as you said. I instead created a role policy which says to Ignore alarm when A is source and "On+Alarm" when A is target. Its too bad though there is no definitive way to make a policy to ignore an alarm between Source A and Target B.

Re: Excluding an alarm between two host groups

jamegill — Tue, 18 Apr 2023 18:14:38 GMT

Hi @stipend ... good work, you're on the right track. Here are a couple of suggestions ...

For Slow Connection Flood consider turning the "when host is source" to "on" for the Inside Hosts default policy. Because you shouldn't see this very much between inside hosts (as discussed in more detail in the documentation for this alarm), you probably don't need an alarm for each instance of this event. By setting it to "on" you are still monitoring for this behavior but it will contribute to the Category Alarms for Concern Index, dDoS Source, dDoS Target.

The Role Policy approach here is a good approach if you are only seeing the alarm on a subset of your hosts. By applying that policy to the effected subset of hosts (Host Groups) you can again decide to set the event to "on" or "on+alarm", and you can also adjust the the thresholds in the event configuration to that Role Policy to override the setting of the Inside Hosts Default policy.

The concept of building policies with specific application to (or excemption for) specific source/destination host groups is a concept which has come up before, so I have added this thread to the internal discussion around that topic. Thank you for enhancing that conversation.

--jg

Re: Excluding an alarm between two host groups

stipend — Wed, 19 Apr 2023 13:58:16 GMT

For Slow Connection Flood consider turning the "when host is source" to "on" for the Inside Hosts default policy. Because you shouldn't see this very much between inside hosts (as discussed in more detail in the documentation for this alarm), you probably don't need an alarm for each instance of this event. By setting it to "on" you are still monitoring for this behavior but it will contribute to the Category Alarms for Concern Index, dDoS Source, dDoS Target.
--jg

We do this see this a lot internally. One instance has been the case of just how two groups of servers communicate with each other. The other instance has been employees accessing an internal application through port 443 which triggers the alarm. So far its been false positives but, yeah, we see this frequently. Thanks for your help anyways. I hope an "exemption" feature gets added in the future!