Definitions
Behavior Tagging
BAS/CS™ behavior tagging provides broad behavioral groupings to categorize the types of events sensors may generate. This method of event tagging allows for flexibility in sensor capability selection. Vendor proprietary event analytics are mapped to a BAS/CS™ Event (BE) tag, standardizing how correlative analytics can be performed across diverse sensor event data. There are two main BE categories: Host and Network events.
Host Events
Host events focus on the events that would be generated from within a host.
Access
| BE ID | BE Name | BE Description |
|---|---|---|
| ACC01 | Pass the Hash Attempt | NTLM or LM login attempt (a pass the hash (PtH) vulnerability) |
| ACC02 | Remote Login Attempt | Authenticated remote login attempt (RDP, ssh, etc.) |
| ACC03 | Successful Remote Login | Successful remote login (RDP, ssh, etc.) |
| ACC04 | Admin Share Access | Modification of admin share settings |
| ACC05 | New Service | A new service was installed |
| ACC06 | Scheduled Task | A scheduled task was created |
| ACC07 | User Created | A new user account was created |
| ACC08 | User Added to Security Global Group | A member was added to a security-enabled global group |
| ACC09 | User Added to Security Local Group | A member was added to a security-enabled local group |
| ACC10 | Local Group Change | A security-enabled local group was changed |
| ACC11 | Explicit Login Attempt | New login attempt with explicit credentials |
| ACC12 | Failed Login Attempt | Unsuccessful login attempt |
| ACC13 | New Login | New logon session created |
| ACC14 | File Share Write | Suspicious write or append to a common file share (SYSVOL or other) |
File
| BE ID | BE Name | BE Description |
|---|---|---|
| FIL01 | New File | A new file detected in a monitored file system |
| FIL02 | File Deletion | A file was deleted from a monitored file system |
Log
| BE ID | BE Name | BE Description |
|---|---|---|
| LOG01 | Significant Timestamp Difference | Significant timestamp difference in log |
| LOG02 | Decrease in Logging | Significant decrease in logging has been observed |
Process
| BE ID | BE Name | BE Description |
|---|---|---|
| PRO01 | Process Change | A process has been created or changed |
| PRO02 | Application Control Policy Block | Application control policies blocked an installer or script from executing (AppLocker or other) |
| PRO03 | New Command/Scripting Interpreter or Exploitation | A new command/scripting interpreter or exploitation detected |
| PRO04 | Suspicious Use of System Process | Suspicious use of a system process |
| PRO05 | Process | A process was stopped |
| PRO06 | Driver Loaded | New kernel driver loaded |
| PRO07 | Potential | Process injection potentially detected |
| PRO08 | WMI Event Detected | A Windows Management Instrumentation (WMI) event filter or consumer activity has been detected |
| PRO09 | Security Audit Logs Cleared | The security audit logs have been cleared |
| PRO10 | System Logs Cleared | System logs have been cleared |
| PRO11 | Event Logging Stopped | Event logging service has stopped |
| PRO12 | Outgoing Connection from Suspicious Process | Suspicious process connection detected |
| PRO13 | Remote | Suspicious remote process execution was detected |
| PRO14 | Remote Management Executed Suspicious Commands | Suspicious remote process command execution was detected |
| PRO15 | Remote Service Management | Service control was used to create, modify, or start services on a remote host |
| PRO16 | Named Pipe | A named pipe has been created or connected to |
Peripheral
| BE ID | BE Name | BE Description |
|---|---|---|
| USB01 | USB Peripheral Connected | A USB peripheral device has been connected |
| USB02 | USB Peripheral Removed | A USB peripheral device has been removed |
| USB03 | USB Storage Connected | A USB storage device has been connected |
| USB04 | USB Storage Removed | A USB storage device has been removed |
Network Events
Network events focus on events generated from network communications.
Intrusion Detection
| BE ID | BE Name | BE Description |
|---|---|---|
| IDS01 | Network Conversation Anomaly | A change in the normal conversations between nodes was observed |
| IDS02 | New Node | A new network node has been established |
| IDS03 | New Logical Link | A link (communication channel) has been established |
| IDS04 | OT Write Command | A control system protocol write command was observed |
| IDS05 | OT Read Command | A control system protocol read command was observed |
| IDS06 | Function Code Anomaly | An unusual or new function code was observed |
| IDS07 | Protocol Anomaly | Improper or unusual use of a network protocol was observed |
| IDS08 | Configuration Change | A change to firmware, logic, or software program has occurred |
| IDS09 | Hardware Change | Change to serial number, I/O hardware, etc. |
| IDS10 | Network Interface Change | A change to a MAC or IP address has occurred |
| IDS11 | External Conversation | A conversation with a node outside of control system network boundary has occurred |
| IDS12 | Network Scanning | Asset or port scanning was observed |
| IDS13 | System Elements Not Synchronized | A message with an anomalous time stamp was observed |
| IDS14 | Device State Change | A mode change or reboot has occurred |
| IDS15 | Signature Based Alerts | A signature-based alert has been generated |
| IDS16 | Process Variable Anomaly | A process variable outside normal or expected ranges was observed |
Network Flow
| BE ID | BE Name | BE Description |
|---|---|---|
| NET01 | Link Traffic Increase | An unexpected increase in traffic has occurred |
| NET02 | Link Traffic Decrease | An unexpected decrease in traffic has occurred |
| NET03 | Link Loss | A communication link has dropped or been lost |
| NET04 | Stale Node | A node has stopped communicating |
| NET05 | Network Scanning | Asset or port scanning has occurred |
| NET06 | Network Interface Change | A change to a MAC or IP address has occurred |
Correlation Rules
BAS/CS™ Alerts are defined as a collection of correlations of BE. Each BAS/CS™ Correlation Rule consists of an alert logic statement, which provides the logical relationship between the BE using AND (&&) and OR (||) expressions. Each of these logical expressions are used to query the BE data in a SIEM, and if the logical expression returns TRUE, for the given time range and aggregation field (typically the event source hostname), then an alert is raised.
Alert Examples
| Alert | Alert Name | Alert Description | Alert Logic |
|---|---|---|---|
| BAS.3 | Unusual Process Detected | A process has been detected that is not within the list of known, expected processes. An adversary may be executing malicious code on the system. | PRO01 |
| BAS.5 | Irregular Audit Log Event | One or more audit logs have been cleared or stopped, or contain significant timestamp differences. An attacker may be attempting to evade detection. | LOG01 || PRO09 || PRO10 || PRO11 |
| BAS.8.1 | Unexpected | Unexpected behavior of an HMI, OPC, or control server affecting control equipment. HMI or OPC not updating after operator made changes to instructions, commands, or alarm thresholds. Expected changes are not appearing on control equipment. | (IDS04 || IDS06 || IDS07) && (NET03 || IDS13 || IDS14 || IDS16) |
| BAS.27 | Potential Lateral Movement | Recent remote login attempts or other suspicious network activity have been detected. An unexpected process has also been identified. An attacker may be conducting lateral movement on the network. | (PRO01 || PRO07) && (ACC01 || ACC02 || ACC03 || ACC04 || PRO15 || IDS01) |
| BAS.36 | Malicious Network Behavior Signature | A signature-based detection has been triggered from a network intrusion detection system. A signature-based detection is very likely indicating malicious behavior within the network. | IDS15 |