Introduction
Secondary Menu Item
Double Line Main Menu Item
Physical Security Use Case Adoption Guide
In this Adoption Guide you will find a comprehensive guide to help operationalize the Exabeam Physical Security Use Case. It serves as a handy reference for Exabeam users who have executed use case methodology in their environment and a how-to guide for those who have not. Follow this guide from start to finish to ensure comprehensive physical security coverage in your environment.
Exabeam Physical Security Use Case Adoption Guide: What is it?
Mandatory
Within this document, links categorized as Mandatory are required elements of configuration. This label does not necessarily imply action required on your part, but rather contains information crucial to the understanding of how to prosecute the use case within your environment.
Informational
Links within this document with a categorization of Informational are not required reading, but will help facilitate greater awareness of how Exabeam tools work under-the-hood and will help with self-service efforts.
Further Reading
Items with a label of Further Reading are for users seeking ExaNinja status and could lead to professional excellence.
LEGEND
What is this Adoption Guide?
The Exabeam Physical Security Use Case is a curated, threat-specific collection of security content designed to facilitate physical security in your environment. Physical Security Use Case content, along with its corresponding use case documentation in the Exabeam Community, provide an end-to-end threat detection and response workflow to detect ransomware and reduce the time it takes to understand your breach and quickly respond. The Physical Security Use Case Operationalization Document is referenced many times in this Adoption Guide. The full six-chapter document is located here: Physical Security Use Case Chapter 1: Introduction.
What is an Exabeam Use Case?
Exabeam Use Cases are prepackaged, tailored content intended to detect risks on a network. They consist of curated content in Advanced Analytics related to specific techniques used by attackers and insider threats. This content is primarily a set of rules related to attack vectors known to present risks in all environments. It also includes the dependencies for the rules, to include corresponding data modeled baselines, context tables, user and asset labels, threat intel functions and more.
How to Use this Guide
How To Use the Physical Security Use Case Adoption Guide
This guide is intended to be a short form instructional guide to quickly enable adoption and operationalization of Exabeam Use Cases. It is logically arranged in workflow that would simulate a professional services use case engagement. The steps in this Adoption Guide are in a logical order of use case implementation. Many of these steps, however, will have already been implemented. The guide is structured so that if a particular step is already accomplished and validated it can be skipped and the next step can be tackled. In many cases the information will be presented as a reference to ensure that users have a comprehensive understanding of how the content works and what dependencies exist. No network is static. When aspects of a network change it's important to know how to adjust fire to be fully prepared for the unknown unknowns that can occur in an environment. This guide contains what a user or admin needs to know to prosecute the Physical Security Use Case most efficiently and effectively.
Use Case Packages
Use Cases are parceled out into Use Case Packages.
Hover over each Package below for more information
Malicious Insider
+
Behavior that would potentially occur if you had an insider threat on your network.
Data Leak
Privilege Abuse
Data Access Abuse
Audit Tampering
Destruction of Data
Physical Security
Workforce Protection
Abnormal Authentication & Access
Techniques, tactics and procedures that would be used if an account on your network was compromised by a savvy attacker.
Compromised Credentials
Lateral Movement
Privilege Escalation
Privileged Activity
Account Manipulation
Data Exfiltration
Evasion
Compromised Insider
Threats posed by outside actors with malicious intent.
Malware
Phishing
Ransomware
Cryptomining
Brute Force Attack
External Threats
Benefits
It's easy
Most of the configuration of use cases is done during a Professional Services engagement. This is true whether your engagement was prior to the roll out of Use Cases.
Helps users learn what they didn’t know they didn’t know
All content contains dependencies and logical arguments to detect and respond to badness on your network. Use case documentation systematically walks through the scope of protection, requisite vendor log, data processing workflow awareness, context table and user/asset label dependencies, threat intelligence feeds and functions and response techniques and tricks. This is all configured on installation, but log sources can change, network zones are ever evolving and context tables need updating from time to time. Use Case documentation provides all you need to know about what you may not have previously known.
It facilitates prioritization and validation of use case modalities
It is a best practice to sit down with information security stakeholders and identify what would pose the greatest risk should it occur on your network. By assessing which use case has the potential to do the greatest damage and ranking the use cases accordingly it provides a method of systematically working through threats to your network one at a time. Attempting to tune and validate your system reactively is not the best manner to protect against the tactics in these use cases. Proactively identifying which threats are greatest, then verifying that nothing has changed on your network that could cause analysts to miss threats is the best way to ensure air tight coverage. Additionally, boiling the ocean to verify your instance is ingesting and adding context is an overwhelming and exhausting exercise. It’s the quickest way to lose sight of the path to a comprehensive security posture.
Hover over each icon to the right to see the benefits
Exabeam Use Case Documentation: A Primer
Each Exabeam Use Case has a corresponding use case document in the Exabeam Community. Each document follows an Introduction-> Collect-> Detect -> Triage -> Investigate -> Respond workflow. Check this short video out to see the benefits of pivoting between the Adoption Guide and the long form use case documents. Leveraging both is the quickest way to becoming a use case InfoSec Ninja.
Wrap Up
Wrapping Up
All of these factors leads to a more comprehensive understanding of the network. Roll out each use case and on completion you will be your information security department’s lead security ninja.
It allows them to understand most of the security solutions in the environment and feed back to them with the critical insights gained from looking at your network through the lens of anomalies from analytical baselines rather than looking at the network through one security vendor coffee straw at a time.
Additionally, using the response methodologies will inevitably result in discovery of further threats to monitor and will also uncover misconfigurations in other vendor solutions. Because of the nature of aggregative data processing of multiple log types, and processing them in one stateful session, gives an analyst a full view of the coverage in your environment.
Operationalizing these use cases establishes a proactive security posture and will likely lead to better sleep for InfoSec analysts. Getting a look under the hood provides greater comprehension of what drives the content in a use case. It facilitates a better comprehension of how to manage specific threats to your network as well.
Vendor Product Log Mapping
Physical security starts with ingesting the proper logs. The link below contains a list of vendors that could trigger rules in Advanced Analytics. The list is ordered top to bottom, then left to right for most to least likely to trigger rules in Advanced Analytics.
Links:
Vendor Log Mapping
Log Source Onboarding: A Guide
Event Types and Required Fields
Advanced Analytics comes with parsing of common vendor log sources out-of-the-box. However, rare log sources, custom logs and logs with errors can cause problems in the data processing pipeline and may require troubleshooting. To make sure you’ve got correct data flowing through the pipeline it may be necessary to verify that the correct fields are being parsed for the event types that occur in each use case.
Physical Security Event Types and Required Fields
Event Types and their respective required fields are found in the document below as a download for reference:
Exabeam Content Common Information Model
For an always current list of required and optional fields, see the document below:
Rule Tuning and Model Convergence
Advanced Analytics offers the option of custom tuning rules in your environment. This allows you to display levels of risk as your organization defines it in their risk matrix. It also allows you to tune down noisy alerts specific to your instance. Everything you need to know about tuning rules is in the Landing Page for Tuning Rules in Advanced Analytics on the Exabeam Community Knowledge Base. In order for rules to trigger and models to reach a high confidence in its baseline there has to be sufficient data. It’s possible to check the confidence levels of each model in the Advanced Analytics UI.
Landing Page for Tuning Rules in Advanced Analytics
Since Exabeam Use Cases often contain hundreds of rules, it’s a best practice to take a sample of models from each use case scenario and verify them in the Advanced Analytics UI. Click these links for lists of data models in the Physical Security Use Case by scenario.
How to Check Model Confidence Document
Physical Security Use Case Rule Mapping
Content Dependencies
Advanced Analytics uses other rules and sets of identifier groupings to optimize its analytics. The links below are to the specific content dependencies within rule logic for the Physical Security Use Case. These are configured on installation but if things change in your environment it’s a good idea to know where these dependencies live in order to edit them should that be needed. The links below are to the sections in the Physical Security Use Case document where they are cataloged. Note: There are no user or asset label dependencies in the Physical Security Use Case.
Context Tables
Exabeam Physical Security Use Case Rule and Model Dependencies
Network Zones
User and Asset Labels
Case Manager Incidents
It’s possible to configure Case Manager to create incidents automatically for notable sessions in Advanced Analytics or from third party security vendors. Use Case methodology is built into this automated case creation. When sessions contain activity related physical security the case will reflect it and automatically add a template that conforms to a physical security workflow. For instructions on how to configure your system to automatically create incidents from specific activity in your environment, see the Incident Rules content in the Exabeam Documentation Portal in the link below.
Configuring Case Manager
Every incident is assigned a queue. Queues are intended to help you manage your incidents across the security team. You can create custom queues to fit your organization’s needs. These can be auto-assigned or manually designated. Learn how to create, edit and manage queues in the Case Manager Document linked below.
Incident Rules
Queues
Case Manager: Getting Started
Incident Responder Playbooks
Starting in i58, Incident Responder has customer content to respond automatically to incidents involving physical security.
Exabeam Incident Responder Automated Incident Classification Playbook
Find out more about Exabeam Incident Responder turnkey playbooks here:
Exabeam Incident Responder Automated Incident Enrichment Playbook
Responder Playbooks
Visualizations, Dashboards and Reports
Visualizations are a great way to show outliers in data and monitor for threats that might not bubble up into notable sessions. Visualizations are easy to build and are great for inclusion in dashboards. Visualizations and dashboards are also great for knowledge transfer.
Physical Security Use Case Visualization Ideas
Some potential visualizations involving physical security are located in the Physical Security Use Case Visualization Ideas article on Community linked below:
Data Lake User Guide: Reports
Reports are a handy way of keeping track of certain types of activities. They are also valuable ways of sharing information with others on a schedule.
Visualization Quick Start Guide
Visualizations and Reports
Data Lake User Guide: Dashboards
Prepackaged and Custom Reports
Reports are a great way to stay informed when activity meets a criteria for physical security. There are prepackaged reports located in the Physical Security Use Case: Respond document linked below. You can also find information there to help build and schedule your own automated reports.
Threat Hunter
The Threat Hunter function in Advanced Analytics is a great way to search for sessions involving physical security. There are prepackaged Threat Hunter searches located in the Physical Security Use Case: Respond document linked below. Creating customer Threat Hunter searches is also possible and is an effective way to proactively monitor physical security in your environment.
Physical Security Use Case: Threat Hunter
Investigation Questions
For a list of relevant investigation questions to include in an investigation workflow, see the document linked below. These questions can be used to create a custom analyst workflow for physical security events.
Use Case: Investigation Questions
Rule Name
Back
Failed badge access by disabled user Failed physical access in new building for user Failed physical access in new location for user Failed physical access to a door user has never successfully accessed Failed badge access at abnormal time Abnormal number of badge accesses Badge access by disabled user Badge access in multiple cities within a session Badge access without IT presence Abnormal physical access in this building for user First physical access in this building for user Abnormal physical access in this location for user First physical access in this location for user First physical access to door for user Badge access at abnormal time VPN login after badge access Badge access after VPN login Badge access by watchlist user
User Labels
Asset Labels
There are no context table, user/asset label or network zone dependencies in the Physical Security Use Case
Account created and deleted on asset First account deletion activity for user Abnormal usage of net.exe to delete a user account by this user First time net.exe has been used to delete a user account by this user
Account Deletion Activity
Badge Badgepoint Brivo CCURE Building Management System DataWatch Galaxy Generic Badge Access Honeywell Pro-Watch Lenel OnGuard Lyrix Megaflex NET2DOOR OnGuard RedCloud RightCrowd RS2 RS2 Technologies Sensormatik Siemens Symmetry Access Control TimeLox Vanderbilt Viscount honeywell siama Honeywell WIN-PAK
ICPAM Johnson Controls P2000 KABA EXOS PicturePerfect SecurityExpert Swipes Universal.NET AnyConnect Avaya VPN Barracuda Firewall Cato Cloud Check Point Identity Awareness Check Point NGFW Check Point Security Gateway Check Point Security Gateway Virtual Edition (vSEC) Cisco Adaptive Security Appliance Cisco Firepower Cisco ISE Cisco Meraki MX appliances Citrix Netscaler Cognitas CrossLink Duo Access Security F5 BIG-IP F5 BIG-IP Access Policy Manager (APM) Fortinet VPN
GlobalProtect Juniper Networks Pulse Secure Juniper SRX Juniper VPN Lotus Mobile Connect Microsoft DirectAccess Microsoft RRA Microsoft Windows NCP NetMotion Wireless NGFW Nortel Contivity VPN PingOne SecureNet Sonicwall SonicWALL Aventail Sophos XG Firewall SSL Open VPN Unified Security Gateway Zscaler Private Access
First account management activity from asset Abnormal account management activity by local user First account management activity by local user First account management activity by a new local user Abnormal account management activity from zone First account management activity from network zone First account password change for local user Account management activity for new user Abnormal account management activity from asset for user
First account management activity from asset for user Abnormal day for user to perform account management activity First use of domain account by user Abnormal usage of net.exe to disable/enable a user account by this user First time net.exe has been used to disable/enable a user account by this user Account changed recently First account management activity from asset for user
Abnormal Account Management Activity
Abnormal account creation by system account on asset First account creation by system account on asset Account created and deleted on asset Shadow Copies Creation Using Operating Systems Utilities on this asset Shadow Copies Access via Symlink on this asset Abnormal account creation activity by local user First account creation activity by local user First account creation activity by a new local user Abnormal account creation activity from asset in the organization First host on which account was created using CLI command First account creation activity from asset in the organization First user on which account was created using CLI command Abnormal account creation activity from network zone First zone on which account was created using CLI command First account creation activity from network zone Abnormal account creation activity from asset for user
First account creation activity from asset for user Abnormal day for user to perform account creation activity Abnormal account creation activity for peer group First account creation activity for peer group Abnormal account creation activity for user First account creation activity for user Abnormal account creation on domain for user First account creation on domain for user Possible DCShadow attack detected Possible DCShadow attack from Existing Machine First event for machine in possible DCShadow attack Abnormal usage of net.exe to create/add to a group by this user First time net.exe has been used to create/add to a group by this user Abnormal usage of net.exe to create a user account by this user First time net.exe has been used to create a user account by this user Shadow Copies Creation Using Operating Systems Utilities Shadow Copies Access via Symlink
Account Creation Activity
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) on this asset Non-Privileged user accessing privileged directory service attribute Abnormal number of directory service events in the organization Directory service server object added Directory service server object created and deleted Abnormal number of directory service events in the peer group Abnormal directory service activity on host for peer group First directory service activity on host for peer group Abnormal directory service object class for peer group First directory service object class for peer group Abnormal directory service activity from source zone for peer group First directory service activity from source zone for peer group Abnormal directory service activity type for object class First directory service activity type for object class First directory service event for user in the peer group Abnormal directory service activity on host for organization First directory service activity on host for organization Abnormal directory service object class for organization First directory service object class for organization Abnormal directory service activity from source zone for organization First directory service activity from source zone for organization
First directory service event for user in the organization First access to attribute for privileged user Abnormal directory service activity type for user per object class First directory service activity type for user per object class Abnormal number of directory service events in the user Abnormal directory service activity on host for user First directory service activity on host for user Abnormal directory service object class for user First directory service object class for user Abnormal directory service activity on source host for user First directory service activity on source host for user Abnormal directory service activity from source zone for user First directory service activity from source zone for user Abnormal number of failed directory service events in the organization Abnormal number of failed directory service events in the peer group Failed directory service event for user in the peer group First directory service event for user and it failed in the peer group Failed directory service event for user in the organization First directory service event for user and it failed in the organization Abnormal number of failed directory service events in the user MMC (Microsoft Management Console) started a Windows command line executable
Abnormal Directory Services Activity
First account group management activity for peer group First account management activity for group of a new user Abnormal account OU addition to this group First account OU addition to this group Abnormal account addition to this group for the organization First member addition to this group for the organization Abnormal addition and removal of member from a group in a single session in the peer group First addition and removal of member from a group by user in a single session for peer group Abnormal addition and removal of member from a group in a single session in the organization First addition and removal of member from a group by user in a single session for organization First account group management activity for user A user has been given mailbox permissions for an executive user Abnormal number of mailbox permission given by user User added themself to a group
Abnormal for user to give mailbox permissions First time a user has given mailbox permissions on another mailbox that is not their own Abnormal group management activity by local user First group management activity by local user First group management activity by a new local user Abnormal group management activity from asset in the organization First group management activity from asset in the organization Abnormal group management activity from network zone First group management activity from network zone Abnormal group management activity from asset for user First group management activity from asset for user Abnormal day for user to perform group management activity Abnormal addition to privileged group by user First addition to privileged group by user First addition to privileged group by local user
Membership and Permissions Modifications
These vendor logs can show activity related to physical security in your environment. They are ordered top to bottom, then left to right according to the number of Advanced Analytics rules they have the ability to trigger.
1
2
3
event type
description
required fields
host time outcome badge_id location_door
host time badge_id location_door
N/A
host time src_host/src_ip user
failed-physical-access
A user swiped their physical badge to open a door, gate, or other entrance but were denied access.
A user successfully opened a door, gate, or other entrance using their badge.
session/sequence-end are artificially generated event types which signal to AA that the session has ended. These events are significant because they trigger any session/sequence wide rules/models, such as “Abnormal amount of x in a session”.
Remote access VPN login attempt either from a public IP address or from an internal network address was successful.
physical-access
session/sequence-end
vpn-login
Physical Security Visualization Ideas
Top users with failed badge attempts Users with first or abnormal access to location All badge access by disabled accounts All failed badge access at abnormal times Failed physical access to new door or building Top users with abnormal locations Top entrance door for specific users Which users enter through a specific door
These Threat Hunter Searched are useful for proactive Physical Security searches.
Physical Security: Users failing to badge into doors they have never used Rule: FPA-UD-F Dates: Last 7 Days Physical Security: Abnormal number of badge accesses Rule: PA-COUNT Dates: Last 7 Days Physical Security: Users failing badge access with label “Leaver” User Labels: Suspected Leaver Rule: FPA-UB-F, FPA-UC-F, FPA-UD-F, FPA-UTi-A Dates: Last 7 Days Physical Security: Notable users with abnormal badge activity Score from 90 to null Activity Type: Physical Access Dates: Last 7 Days Physical Security: First badge activity to this building or location for user Rule: PA-UB-F, PA-UC-F, Dates: Last 7 Days Physical Security: Disable user attempting to gain physical acess Rule: FPA-DU, PA-DU Dates: Last 7 Days
Threat Hunter Searches
These Threat Hunter Searched are useful for proactive Physical Security searches
Physical Security Use Case Rule and Model Dependencies
This data table contains mapping of rule dependencies and model dependencies for physical security content. Rule dependencies are rules that must have fired in the session in order for it's parent rule to fire. It is important to have awareness of any model dependencies in the case that rules are not firing due to bad data being ingested. A version of this table that can be copied and pasted is available in the Physical Security Use Case Rule and Model Dependencies document on the Exabeam Community.