As Zeek logs are parsed and enriched prior to indexing, a severity score up to 100 (a higher score indicating a more severe event) can be assigned when one or more of the following conditions are met:
- cross-segment network traffic (if network subnets were defined)
- connection origination and destination (e.g., inbound, outbound, external, internal)
- traffic to or from sensitive countries
- The comma-separated list of countries (by ISO 3166-1 alpha-2 code) can be customized by setting the
SENSITIVE_COUNTRY_CODESenvironment variable inlookup-common.env
- The comma-separated list of countries (by ISO 3166-1 alpha-2 code) can be customized by setting the
- domain names (from DNS queries and SSL server names) with high entropy as calculated by freq
- The entropy threshold for this condition to trigger can be adjusted by setting the
FREQ_SEVERITY_THRESHOLDenvironment variable inlookup-common.env. A lower value will only assign severity scores to fewer domain names with higher entropy (e.g.,2.0forNQZHTFHRMYMTVBQJE.COM), while a higher value will assign severity scores to more domain names with lower entropy (e.g.,7.5fornaturallanguagedomain.example.org)
- The entropy threshold for this condition to trigger can be adjusted by setting the
- file transfers (categorized by mime type)
notice.log,intel.logandweird.logentries, including those generated by Zeek plugins detecting vulnerabilities (see the list of Zeek plugins under Components)- detection of cleartext passwords
- use of insecure or outdated protocols
- tunneled traffic or use of VPN protocols
- rejected or aborted connections
- common network services communicating over non-standard ports
- file scanning engine hits on extracted files
- large connection or file transfer
- The size (in megabytes) threshold for this condition to trigger can be adjusted by setting the
TOTAL_MEGABYTES_SEVERITY_THRESHOLDenvironment variable inlookup-common.env
- The size (in megabytes) threshold for this condition to trigger can be adjusted by setting the
- long connection duration
- The duration (in seconds) threshold for this condition to trigger can be adjusted by setting the
CONNECTION_SECONDS_SEVERITY_THRESHOLDenvironment variable inlookup-common.env
- The duration (in seconds) threshold for this condition to trigger can be adjusted by setting the
As this [feature]({{ site.github.repository_url }}/issues/19) is improved, it is expected additional severity scoring categories will be identified and implemented.
When a Zeek log satisfies more than one of these conditions its severity scores will be summed, with a maximum score of 100. A Zeek log's severity score is indexed in the event.severity field and the conditions that contributed to its score are indexed in event.severity_tags.
The category severity scores can be customized by editing logstash/maps/malcolm_severity.yaml:
- Each category can be assigned a number between
1and100for severity scoring. - Any category may be disabled by assigning it a score of
0. - A severity score can be assigned for any supported protocol by adding an entry with the key formatted like
"PROTOCOL_XYZ", whereXYZis the uppercased value of the protocol as stored in thenetwork.protocolfield. For example, to assign a score of40to Zeek logs generated for SSH traffic, you could add the following line tomalcolm_severity.yaml:
"PROTOCOL_SSH": 40
Restart Logstash after modifying malcolm_severity.yaml for the changes to take effect.
Severity scoring can be disabled globally by setting the LOGSTASH_SEVERITY_SCORING environment variable to false in the logstash.env file and restarting Malcolm.