Skip to main content

Creating an Incident Action

After creating a Job, the user can configure Action - the action that the system will perform if the search query in the Job is triggered. For more information, see here.

Example.

Creating an incident using Job Scheduler. For more information about parameters, see here.

Enter the Name and Description of new job.

  • Name - RULE-CS-Sysmon- SystemTimeDiscovery.
  • Description - An adversary may gather the system time and/or time zone from a local or remote system.

Enter the Search, Time interval, Frequency of execution, Suppression of execution, Global Params.

Search:

source sysmon_operational-*
| search event.code="1" AND rule_name_technique_id="T1124"
| rename rule_name_technique_id as mitre_technique_id
| table @timestamp, mitre_technique_id, event.action, host.name, host.ip, user, original_file_name, image, parent_image, command_line, parent_command_line, process_id, parent_process_id, process_guid, parent_process_guid

Time interval:

  • Time interval - Last 30 minut
  • Time interval - @timestamp
  • Duration of the lock (in seconds) - 60

Frequency of execution:

  • Schedule type - Cron Expression
  • Cron - 3-59/5 * * * *
  • Schedule delay - 0

Suppression of execution:

  • Duration - 60 минут
  • Fields for suppression - user

Global Params:

  • Key - guid
  • Value - guid()

Next, open the Action tab, click the Add button and select Incident Action.

The system supports the use of tokens (For more information about token, see here).

  • Incident title - User {{_source.user}} may gather the system time and/or time zone from a local or remote system on host: {{_source.host.name}}
  • Severity - Normal
  • Workflow - Default workflow
  • Description - Detect attempt to gather the system time and/or time zone from a local or remote system for User: {{_source.user}}. Host: {{_source.host.name}} Playbook
  • Drilldown Type - Link
  • Drilldown Text - https://demo.saf-systems.com/app/knowledge-center/wiki/page/mtOVno4BWgx_FzHPPt8F

Description of the incident

In the Additional Fields item, you must fill in the fields from the search query and pass none as the value. In this case, when viewing an incident, the fields will retain names in accordance with the names in the Key field.

Incident fields

Save this job and wait for it to work. To view the created incident, open Main menu - Incident Manager - Incident Review

The screenshot shows that SAF recorded the incident. The incident description contains information about the detected event.

Detected Incident