# Нормализация и корреляция событий информационной безопасности
1. Событие входа пользователя по SSH.
- Правило и вывод
Общее правило:
TEXT = '<{NUMBER}>{time = DATETIME} {"Message forwarded from"?} {event_src.hostname = WORD ":"?} audit: {msgid = "USER_Login"} {object.account.privileges = STRING} {object.state = WORD object.type = WORD} user: {subject.account.name = STRING} tty: {protocol.layer7 = WORD}'
<134>Sep 22 05:01:48 Message forwarded from sovma131: audit: USER_Login root OK sshd user: ektest tty: ssh
<134>Sep 22 04:54:46 audit: USER_Login root OK sshd user: ektest tty: ssh
- Метаданные
- Сценарий
- Запуск
- Просмотр событий
Прим: здесь выдается "не указаны значения" из-за того, что поле event_src.hostname не имеет значения во втором событии 
2. Событие чтения конфигурационного файла операционной системы. Правило и вывод
May 19 09:50:06 aix53 local0:info audit: OS_CONF_READ mp OK cat audit object read event detected /etc/shadow
Jun 3 00:10:05 aix53 local0:info audit: OS_CONF_READ mp OK cat audit object read event detected /etc/ssh/sshd_config
- Метаданные
- Сценарий
- Запуск
- Просмотр событий (немного кривые записи)
Правило корреляции
```
#Пользователь сначала прочитал файл /etc/shadow, после чего успешно вошел в систему под другим пользователем, оба события произошли в течение 5 минут
#correlation_type, subject, action, object, status, importance
event Read_the_file:
key:
event_src.hostname
filter {
correlation_name == null and
subject == "account" and
action == "view" and
object == "file_object" and
status == "success" and
subject.account.name != null
}
event Successful_login_ssh:
key:
event_src.hostname
filter {
correlation_name == null and
subject == "account" and
action == "access" and
object == "system" and
status == "success" and
subject.account.name != null
}
rule OS_conf_read_and_login_ssh_root: (Read_the_file -> Successful_login_ssh) within 5m
init {
$first_event = true
}
on Read_the_file {
if $first_event then
$first_event = false
$msgid = msgid
$subject.account.name = subject.account.name
$object.fullpath = object.fullpath
$object.state = object.state
$event_src.vendor = event_src.vendor
$event_src.title = event_src.title
$event_src.category = event_src.category
$event_src.hostname = event_src.hostname
endif
}
on Successful_login_ssh {
if $second_event then
$second_event = false
$msgid = msgid
$object.account.privileges = object.account.privileges
$object.state = object.state
$object.type = object.type
$protocol.layer7 = protocol.layer7
$event_src.vendor = event_src.vendor
$event_src.title = event_src.title
$event_src.category = event_src.category
$event_src.hostname = event_src.hostname
endif
}
emit {
$correlation_type = "event"
$subject = "account"
$action = "access"
$object = "account"
$status = "success"
$importance = "info"
}
```
для
```
expect 1 {}
{"subject": "account", "action": "view", "object": "file_object", "status": "success", "datafield1": "cat", "event_src.category": "Operating system", "event_src.hostname": "aix53", "event_src.title": "aix", "event_src.vendor": "ibm", "id": "ibm_aix_aix53_object_read_event_detected", "importance": "info", "msgid": "OS_CONF_READ", "object.fullpath": "/etc/shadow", "object.state": "OK", "subject.account.name": "mp", "time": "2022-09-22T05:02:48Z"}
{"subject": "account", "action": "access", "object": "system", "status": "success", "event_src.category": "Operating system", "event_src.hostname": "aix53", "event_src.title": "aix", "event_src.vendor": "ibm", "id": "ibm_aix_USER_Login_root_OK_sshd_user", "importance": "info", "msgid": "USER_Login", "object.account.privileges": "root", "object.state": "OK", "object.type": "sshd", "protocol.layer7": "ssh", "subject.account.name": "ektest", "time": "2022-09-22T05:03:48Z"}
```
Sign in with Wallet
Connect another wallet