Risk Incident Rules (RIR)

[3ninjin12]

I'm attempting to use the Analytic Story - Cobalt Strike for the start of my RBA journey, however I'm stuck on the creation of the RIR for Cobalt Strike. I've enabled all 17 correlated searches from the Cobalt Strike Analytic Story as Risk Rules with Risk Analysis Adaptive Response Action and I added | eval QA=1 to the end of each Risk Rule. The risk index is being populated with the data from the Cobalt Strike Analytic Story Risk Rules. However I need guidance to write the query for Risk Incident Rule to create appropriate Risk Notables directly related to Cobalt Strike. What is the process to write this query?

[OutpostSecurity]

There is an annotation of "Cobalt Strike" and you can take the standard risk incident rule and potentially add a where annotation="Cobalt Strike". Also, if you are using QA=1 then that will not be in the data model so you would need to shift to it being index based. Let me know if you run into issues.

[3ninjin12]

Thank you for your response. Please provide "the standard risk incident rule".

[OutpostSecurity]

In es - Risk Threshold Exceeded For Object Over 24 Hour Period

[3ninjin12]

Please have a look at my query and let me know if you see where I went wrong:

| tstats summariesonly sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.analytic_story) as annotations.analytic_story,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type | drop_dm_object_name("All_Risk") | eval "annotations.mitre_attack"='annotations.mitre_attack.mitre_technique_id', risk_threshold=100 | where risk_score > $risk_threshold$ | get_risk_severity(risk_score)

I added the following, however no data gets filled in for the “annotations.analytic_story” field. And I don’t know how to see if it is there because tstats is used and I can’t see the individual events.

values(All_Risk.annotations.analytic_story) as annotations.analytic_story,

However when doing the following, I know the field does exist and is getting populated:

index=risk | search QA=* "annotations.analytic_story"="Cobalt Strike"

In other words, I know the data is there but I don’t know the right query to pull it out using a correct RIR query.

[OutpostSecurity]

All_Risk.annotations.analytic_story is not a field in the data model, you can try either All_Risk.analyticstories or All_Risk.annotations and then filter it.