Creating Multi-Stage Rules

In this installment of the Tips and Insights series, Mike Olsen explains how to create a multi-stage rules in FireEye Helix. Multi-stage rules trigger alerts of a possible compromise when a sequence of events occur.

Hello my name is Mike Olsen. I’m a Channel Sales Engineer here at FireEye. A rule looks for a specific behavior in the event stream and rules trigger alerts when the behavior is seen. A rule can be built for a single event, a single stage rule or a sequence of events, multistage rules Let’s take a look at creating a multi-stage rule in Helix. A multi-stage rule is created by a sequence of events. So an alert triggers when a sequence of event occurs. So we create rule number one first. And in this example I’m going to show how an attacker commonly uses creating a back door so that they can come in later for lateral movement. So in this first rule we’re going to have new user creation. Okay so we have a newly created user. And by itself this is not harmful but when we add it to the second rule you’ll see how it has potential harm. And so the rule here would just be meta class equals windows and then the event ID for creating a rule which is 47 20 and then we’re going to put our variable username. And then our distinguisher is going to be username. That we’re going to filter on. Our threshold is 1. Meaning it’ll alert when we see one occurrence and it’s going to occur within an hour. And what I need to do is create an assertion here and then this assertion will be used in my second rule as a dependency. So I’m going to add an assertion and my assertion will be multi stage rule dot windows dot new user. And we’ll say 1 hour. So that’s my assertion and my assertion field is username. Great. And so go and create this first rule. Excellent. And so go ahead and create our second rule and show how a multistage rule works. This would be a suspicious command issued by a newly created user. Okay and so this would be where this would trigger on commands from a new user. That have been known to be used for lateral movement. The attacker often will create a backdoor using creating a new user account and so it’s not a for sure thing. Although our confidence would be high that if we do see this suspicious command that we would need to look at it. So we’d bump up our command to high. Severity medium. Again, it depends, so it could be normal activity but it could be indication of a suspicious, an attacker. So our command here would be meta class.

Windows. And then we’re going to be looking for different processes. These are suspicious processes that the an attacker may be using to do lateral movement or creating a backdoor.

So any of these specific processes that were seeing here we would want to alert on if we see them. Okay, so that’s a good example. There’s others but that’s a good list for our demo purposes. And we’re going to filter again on username and then our threshold and time windows stay the same. Then I’ll go down to advanced. And then to make it a multi-stage rule I’ll go down and add a dependency and I’m going to look for this assertion I just created for this multistage rule. And then I’ll apply the username, okay. And so this particular rule will only fire first if we have rule 1 trigger. And then if we see one of these suspicious commands running then we will trigger this alert.

Excellent. Now that we’ve looked at creating a multistage rule I’ve got a query here on this search window. And a common tip in Helix people aren’t aware of is that if I create a query within the search windows and this is for a file transfer that has an Intel hit and I’m grouping it by destination code. And any country and that I’m excluding the US with this portion in the middle. I want to go ahead and filter on that. So lets’s go ahead and run this query. And so you’ll see we’ve got these countries and we’ve got these alerts in these files resulting from this query. Now a comment wonderful tip here is I can go out and save this is a rule. So I like this this hunting search that I created. I can go and save this as a rule and now I’ve got it for future use.

That concludes our tip on creating a multistage rule in Helix. Thank you and stay tuned for more tips and insights from FireEye.

Scroll to Top