Legitimate events
As with any attack detection system, Seer Box is not infallible.
To prevent false positives, you can flag legitimate elements associated with your applications. This will prevent the system from detecting further malicious events on those elements.
Unlike Application Rules and Network Rules, Legitimate events are not translated or synchronized to external firewalls. Instead, they are used internally by Seer Box for matching them against alert specifications.
A Legitimate event is composed by multiple generic fields, and it defines a set of conditions.
The list of Legitimate events can be found on the page Detection - Legitimate.
Generic fields
| Field | Description |
|---|---|
| Status | It indicates whether an event is enabled or not, the user responsible for the last update and its timestamp. |
| ID | The UID of the event (the first 8 characters for better readability) and, optionally, the description. |
| Context | It represents the application context of the event, whether it is the specific Host or Domain Group, or is to be applied to any of them. |
| Attack type | It limits matches to alerts of the same attack type. |
Conditions
Condition elements have already been described on Application Rule section.
In addition to the operators defined in the Application rules, Legitimate events also define:
| Operator | Comparison type | Description |
|---|---|---|
All expressions | - | Matches for every value of specified targets |
None expression | - | Never matches |
Legitimate event management
Legitimate events management is allowed to users in the admin group or to users belonging to a group having Handle rules permission associated with the group of domains to which the event belongs.
Create a Legitimate event
In addition to creating one or more events from the alert detail page with the Advanced Protection function, custom events can be created.
From Seer Box web interface
-
Access the
Detection - Legitimatepage: in this section you can view the list of all created Legitimate events. -
To create a custom event click on the
Add rulebutton in the upper right corner of the page. -
A wizard will be displayed that will allow you to create a Legitimate events. For more details please see the Creation wizard section below.
-
After entering the data it is possible to click on the
Save rulebutton to confirm the creation.
The new Legitimate event will appear on the summary page.
Creation wizard
The creation wizard is structured in multiple steps.
1. Set the Context of the event
You can choose the application context in which you want the event to be restricted.
Options are:
| Option | Description |
|---|---|
| Host | The event will be applied only to specific hosts. Selecting multiple hosts will create multiple events. |
| Domain Groups (or Services) | The event will be dynamically applied to hosts belonging to the specific domain groups. Selecting multiple domain groups will create multiple events. |
| All hosts and domain groups | The event will be applied for every host. |
2. Define the Conditions
You can create multiple conditions by selecting an operator, targets and expressions.
In this case conditions will be matched against Alert specifications, allowing you to prevent a particular alert with a specific pattern from being raised again.
A event needs at least one condition in order to be created.
If a Legitimate event does not specify a condition for a given specification field, it will always result in a match. See Legitimate event n.2 in the examples below.
The only exception is made for the Target field: a Legitimate event will always have to set a condition on it to match the specific Alert. See Legitimate event n.4 in the examples below.
3. Set the Attack type
You can choose to limit the Legitimate event only to Alerts with a specific Attack Type.
In this case even if the context and all conditions match, if the Alert has a different Attack Type the event will not match.
4. Set the description
You can add a short description to the event to quickly identify why it was created.
Edit an Legitimate event
When updating an event, all fields can be modified. Specifically:
- Generic fields
- Conditions
When modifying the Generic fields of an Legitimate event, the new values will always overwrite the existing ones.
When modifying the Conditions of an Legitimate event, users can choose from three update options:
-
Add event conditions: add one or more new actions to all selected events.
- If a condition does not already exist, it will be added.
- If a condition already exists, it will remain unchanged.
-
Replace event conditions: update one or more conditions in the event.
- If a condition already exists, it will be overwritten with the new condition.
- If a condition does not exist, it will be added.
-
Delete event conditions: remove one or more conditions from the event.
- If a condition exists, it will be removed.
- If a condition does not exist, no changes will be made.
From Seer Box web interface
-
Access the
Detection - Legitimatepage: in this section you can view the list of all created Legitimate events. -
Click on the
Editbutton with a pencil icon located on the right end of the schedule you want to edit. -
Edit the chosen fields.
-
Click on the
Savebutton in the upper right corner of the page.
Delete a Legitimate event
From Seer Box web interface
-
Access the
Detection - Legitimatepage: in this section you can view the list of all created Legitimate events. -
Select one or more events to delete by clicking on the checkbox located at the left end of each item.
-
As soon as at least one record is selected, the button with the trash can icon will be enabled in the upper-right corner of the events list.
-
Clicking the icon will display a confirmation modal. Click on the
Confirmbutton to proceed.
Examples
This section shows how you can create various Legitimate event to match against particular alert specifications.
Alert specifications
| Request Host | Path | Parameter key | Target | Payload |
|---|---|---|---|---|
| www.example.it | /legitimate/path | test | Parameter value | legit |
Legitimate event n.1
MatchThis event will exactly match against every specification field.
Context ~ Host: www.example.it
| Targets | Operator | Expressions |
|---|---|---|
| path | Is equal | /legitimate/path |
| parameter_key | Is equal | test |
| parameter_value | Is equal | legit |
Legitimate event n.2
MatchThis event doesn't specify a context and is generalized with respect to the specific parameter key (it doesn't provide a condition for it, so it matches for every parameter key).
Context ~ All hosts and domain groups
| Targets | Operator | Expressions |
|---|---|---|
| path | Contains | legitimate |
| parameter_value | Starts with | legit |
Legitimate event n.3
Not matchThis event doesn't specify a context and is generalized with respect to the specific path, but it specifies a parameter key that doesn't match against alert specifications.
Context ~ All hosts and domain groups
| Targets | Operator | Expressions |
|---|---|---|
| parameter_key | Match charset | Digits |
| parameter_value | Is equal | legit |
Legitimate event n.4
Not matchThis event doesn't specify a condition on the Alert Specification Target field,
so even if the context and other conditions match the event will not match.
Context ~ All hosts and domain groups
| Targets | Operator | Expressions |
|---|---|---|
| parameter_key | Is equal | test |