LCE – Log Correlation Engine – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu Next Generation SIEM & SOAR Fri, 18 Apr 2025 10:47:13 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.1 https://www.sgbox.eu/wp-content/uploads/2025/02/cropped-SGBox-symbol-png-32x32.webp LCE – Log Correlation Engine – SGBox Next Generation SIEM & SOAR https://www.sgbox.eu 32 32 LCE Rules https://www.sgbox.eu/en/knowledge-base/lce_rules/ Tue, 15 Apr 2025 08:44:17 +0000 https://www.sgbox.eu/?post_type=epkb_post_type_1&p=30826 LCE → Rules

📝 Add and modify new rule

This page allows you to create and edit a rule.

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.

✔️ Requirements:

  • A mail server must be configured. Check the Configure a Mail server section for setup instructions.
  • The pattern must belong to a specific class and be assigned to hosts.

Using the SGBox web interface: SGBox → LCE → Rules

  1. The plus icon opens the rule creation page.
  2. The play icon redirects the user to the edit page with a test view.
  3. The clone icon opens a modal that allows the user to fill in the name and description fields.
  4. The edit icon redirects the user to the edit page for modifications.
  5. The trash icon highlights the row in red and enables the delete button (6).

LCE Rules

🛠️ Rule Creation Interface

  1. Left Section: Users can select one or more patterns to include in the rule. To choose a category, click on the category navigation button.
  2. Right Section (Pattern/category Containers): Displays selected elements with their associated parameters. Categories show only common parameters among patterns.
  3. Header Section: Defines time intervals and shows available actions triggered by the Rule Engine.
  4. Bottom Section: Contains the test and save buttons.

LCE Rules

Clicking on the show actions button opens a sidebar displaying the available actions.

LCE Rules

🚀 Actions

✉️ Send Mail

Parameter Description
recipient Enter a list of valid email addresses separated by commas.
email subject When triggered, an email with the specified subject will be sent to all recipients.

LCE Rules

🗓️ Generate Event

Parameter Description
host The event will be registered using localhost or the host associated with the event.
class The selected class will be linked to the generated event. You can create a new class if needed.
subfamily The selected subfamily will be associated with the event. The rule inherits its score.
event Specify the name and description of the event.
Parameters Select up to 10 parameters to include in the event. Parameters from different patterns/categories cannot be duplicated.
Issue aggregation Refers to the IM Module.

LCE Rules

✍️ Generate Log

Parameter Description
log line test Creates a log entry in SGBox upon rule trigger. View logs via LM → Analysis → Historical Search.
Rule Pattern Displays a dropdown with pattern parameters, allowing values to be assigned.

LCE Rules

📋 Add To List

Parameter Description
List The selected pattern will be added to the list if not already present.
Parameters The parameter to add to the selected list.

LCE Rules

</> Execute Script

Parameter Description
Log Line Text Creates a log entry in SGBox when the rule is triggered. View logs via LM → Analysis → Historical Search.
Host Specify the host (IP address or hostname) where the script is located.
User name Provide the username for access.
Password Provide the associated password.
Script Path Specify the script’s location.
Script Arguments Arguments passed to the script.
Rule patterns Displays a dropdown with pattern parameters, allowing values to be assigned.

LCE Rules

💻 Execute Application

Parameter Description
Applications The selected application will execute upon rule trigger.
Action Defines the action the application will perform.
Application arguments Arguments passed to the application.
Rule patterns Displays a dropdown with pattern parameters, allowing values to be assigned.

LCE Rules

📲 Call API

Parameter Description
API Url The URL of the API to call when the rule is triggered.
Data Fields The selected parameter will be sent via GET request by default.
Use POST If enabled, all parameters will be sent using a POST request in JSON format.

LCE Rules

📌 Practical Example

This rule is designed to identify suspicious behavior where a failed login attempt to SGBox is immediately followed by a successful login and a user modification action. Such a sequence could indicate an unauthorized attempt to gain access and alter user credentials.

To make the detection more precise, the rule is configured to trigger only outside regular working hours by setting the time interval to Non-Working Hours. Additionally, it applies only if the access attempt is made by a specific user listed in a predefined group. The first pattern is restricted to localhost, meaning only login attempts on the local machine are considered relevant.

To ensure the integrity of the detection process, the rule verifies that all events originate from the same machine by enabling the Previous Host option. This prevents unrelated events from being linked together incorrectly. Furthermore, the Relative Column is used to maintain consistency in event parameters, ensuring that the entire sequence follows a logical flow before triggering an alert.

LCE Rules
LCE Rules

At this point, the rule must be saved. By clicking the Save button in the Bottom Section, a modal window will appear with the following fields:

 
Name The name of the rule, which can be up to 255 characters long. This field is required.
Description A description of the rule, which can be up to 255 characters long. This field is also required.
Score The value inherited from the subfamily when the Generate Event action is set. Otherwise, it will default to 0.
Enable Rule If set to true, the Rule Engine will analyze the event of this rule to determine when to trigger it.
Retention Defines after how many days the rule’s history will be deleted (this value is displayed on the main page).
Timeout This value specifies the number of seconds in which the event chain must occur.

After configuring these parameters, you can confirm the operation and save the rule.

LCE Rules

After saving the rule, the next step is to set an action and notify the administrators when the rule is triggered. To do so, you will need to configure the “send mail” action and save the entire rule.

LCE Rules

Once the action is set, it is important to enable the rule so that it can be considered by the Rule engine. Additionally, the retention value must be configured appropriately.

LCE Rules

Here is an example of the email that the administrator will receive once the rule is triggered. The email includes the count of the times the rule has been triggered, as well as all relevant patterns and their details, providing the necessary information to ensure proper understanding of the event that occurred.

LCE Rules

➕ Additional Actions:

  • Swap: Swaps the container with the next selected one.
  • Resize: Shrinks the container, displaying only the pattern name.
  • Delete: Removes the pattern from the rule.

LCE Rules

🔎 Test View

The Test View provides a way to preview events that match the previously defined rule flow. You can access this view by clicking the Test button. In essence, when one or more triggers occur, this view allows you to verify the corresponding events.

The page is divided into two main sections:

  • Upper Section: Displays an intuitive chart that visually represents the event flow.
  • Bottom Section: Lists the events along with their parameter values.

Users can adjust the time range to refine their analysis. However, it is important to note that rules are a powerful tool—using an excessively wide time range may result in long processing times.

When filters are applied, they appear on the left side of the interface, as shown in the image below. Otherwise, the chart expands to occupy the full available space.

Clicking on an event in the chart automatically filters the table below to display relevant details.

  • N/A indicates that the pattern does not collect that specific parameter.
  • Please note: To ensure an accurate test, make sure that the latest changes have been saved before executing the test.

LCE Rules

🔧 Operators

The various operators are explained below:

Operator Description
Equals Matches values that are exactly the same.
Differs Matches values that are different.
Greater than Matches values that are strictly greater than the specified value.
Lower than Matches values that are strictly lower than the specified value.
Greater or equal Matches values that are greater than or equal to the specified value.
Lower or equal Matches values that are lower than or equal to the specified value.
Contains a substring Matches values that include a specified substring.
Belongs to a set Matches values that exist in a predefined set.
Does not belongs to a set Matches values that do not exist in a predefined set.
Belongs to a network Matches IPs that are within a specified network range.
Does not belongs to a network Matches IPs that are outside a specified network range.
Belongs to a time range Matches values that fall within a specific time range.
Does not belong to a time range Matches values that fall outside a specific time range.
Belong to a set – regexp Matches values that conform to a regular expression within a predefined set.
Does not belong to a set – regexp Matches values that do not conform to a regular expression within a predefined set.
Belongs to a set – regexp (case insensitive) Matches values (case insensitive) that conform to a regular expression within a predefined set.
Does not belong to a set – regexp (case insensitive) Matches values (case insensitive) that do not conform to a regular expression within a predefined set.
Regular expression search Matches values using a specified regular expression.
Regular expression search (case insensitive) Matches values using a case-insensitive regular expression.
host:port corresponds to a vulnerable host:port Matches hosts and ports that are identified as vulnerable.
host:port is associated with a known vulnerability Matches hosts and ports linked to documented vulnerabilities.
This host has been tested with NVS module Matches hosts that have been analyzed using the NVS module.
Host: port is down Matches hosts or ports that are unreachable.
Host port is up Matches hosts or ports that are active and reachable.
A value in left set belongs to a value in right set Matches when at least one value from the left set is present in the right set.
This value has a reputation Matches values that have a known reputation score.
Belong to a list Matches values that exist in a predefined list.
Does not belong to a list Matches values that do not exist in a predefined list.
Is longer than Matches values that exceed a specified length.
is shorter than Matches values that are below a specified length.
Belongs to a list (exact match) Matches values that exactly match an entry in the list.
Matches with list Matches values that have at least one common element with a predefined list.
Match with text Matches values against a list of regular expressions.

]]> Default Correlation Rules Explained https://www.sgbox.eu/en/knowledge-base/default-correlation-rules-explained/ Wed, 11 Jan 2023 12:11:11 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=8126

[SGA][4722] Account Enabled > [SGA][4625] Logon Failed = TargetUserName (300sec)

[SGA][4722] Account Enabled > [SGA][4624] Logon OK = TargetUserName (300sec)

Account created and deleted in a short time [SGA][4720] Account Created > [SGA][4726] Account Deleted = TargetUserName (300sec)

[SGA][4740] Account Locked Out (2sec)

[SGA][4624] Logon OK $IpAddress (2sec) 

[SGA][4624] Logon OK $TargetUserName (2sec)

[SGA][4624] Logon OK $TargetUserName > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress > [SGA][4624] Logon OK = TargetUserName,LogonType,IpAddress (180sec)

[SGA][4624] Logon OK  $TargetUserName LogonType = 2,3,7,10,11 (2sec)

[SGA][4723] Password Changed $TargetUserName (2sec)

 [SGA][4723] Password Changed $TargetUserName (2sec) 

[SGA][4724] Password Reset $TargetUserName (2sec)

[SGA][4724] Password Reset $TargetUserName (2sec)

[SGA][4624] Logon OK $TargetUserName,IpAddress (2sec)

[SGA][4624] Logon OK $TargetUserName,IpAddress (2sec) (300sec) 10093 – Win Audit – Event Log Backup [SGA][1105] Event Log Backup (2sec) 

[SGA][1108] Event Log Service Error (2sec) 

[SGA][1100] Event Logging Service Shutdown (1sec)

[SGA][4625] Logon Failed SubStatus = 0xC0000072 (1sec)

 [SGA][4625] Logon Failed SubStatus = 0xC0000193 (1sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TargetUserName > [SGA][4625] Logon Failed = TargetUserName (10sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = IpAddress > [SGA][4625] Logon Failed = IpAddress (10sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = LogonType,PreviousHost > [SGA][4625] Logon Failed = LogonType,PreviousHost (5sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4625] Logon Failed = PreviousHost,TartgetUserName,IpAddress > [SGA][4624] Logon OK = PreviousHost,TartgetUserName,IpAddress (15sec)

SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4624] Logon OK = TartgetUserName,IpAddress (15sec)

 [SGA][4625] Logon Failed = TartgetUserName > [SGA][4625] Logon Failed = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (15sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName > [SGA][4624] Logon OK = TartgetUserName (30sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress > [SGA][4624] Logon OK = IpAddress (30sec)

 [SGA][4624] Logon OK > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName > [SGA][4624] Logon OK = IpAddress != TargetUserName (30sec)

[SGA][4625] Logon Failed > [SGA][4625] Logon Failed = TartgetUserName,IpAddress > [SGA][4625] Logon Failed = TartgetUserName,IpAddress (5sec)

[SGA][4769] A Kerberos service ticket was requested TicketOption = 0x40810000 TicketEncryptionType = 0x17 (2sec)

[SGA][4624] Logon OK LogonType = 9 LogonProcessName ~ seclogo AuthenticationPackageName ~ Negotiate (2sec)

[SGA][1102] Audit Log Cleared (1sec)

 [SGA][1104] Security Log Full (1sec)

[SGA][4719] Audit policy changed (1sec)

[SGA][4624] Logon OK $TargetUserName (300sec)

 [SGA][4624] Logon OK $TargetUserName $IpAddress(2sec)

[SGA][4728] Member Added to Global Group > [SGA][4729] Member Removed from Global Group (60sec)

[SGA][4733] Member Removed from Local Group (60sec)

 [SGA][4756] Member Added to Universal Group > [SGA][4757] Member Removed from Universal Group (60sec)

 [SGA][4728] Member Added to Global Group $TargetUserNam

[SGA][4756] Member Added to Universal Group $TargetUserName

[SGA][4728] Member Added to Global Group $TargetUserName (1sec)

[SGA][4732] Member Added to Local Group $TargetUserName (1sec)

[SGA][4756] Member Added to Universal Group (1sec)

[SGA][4624] Logon OK LogonType = 2,3,7,10,11 (2sec)

[SGA][4729] Member Removed from Global Group (1sec))

[SGA][4733] Member Removed from Local Group (1sec)

[SGA][4757] Member Removed from Universal Group (1sec)

]]> Threat Intelligence Queries https://www.sgbox.eu/en/knowledge-base/threat-intelligence-queries/ Tue, 30 Nov 2021 11:25:12 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6877

Configure Threat Intelligence Queries

This article explain how to create a Threat Intelligence Query, that allows you to obtain simply the process of an Events Query to search a value in the list and take an action. In this way, queries can be used like LCE rules or sensors. Can be scheduled to run every minute on a time interval, performing actions when they found results. The available actions are Send Email, Generate Event, Add a parameter to a list.

Requirements:

  • SGBox version 5.3.1

From SGBox menu, go to LCE > Threat Intelligence Queries. Click on New Query
A guided interface is available to build specific queries to search for a parameter in any list. A time interval can be set too. In the following example, we get all MS-Windows admin users logons during non-working hours.
Threat Intelligence Queries

By default, Threat Intelligence Queries are scheduled and send an email and generate a new event every time they found any result.
Actions can be customized for each query, and default values can be edited by clicking the button DEFAULT VALUES on the page listing the Threat Intelligence Queries.

Threat Intelligence Queries

Threat Intelligence Queries

]]> Replace a Sensor with Events Queries https://www.sgbox.eu/en/knowledge-base/replace-a-sensor-with-events-queries/ Wed, 24 Nov 2021 16:10:16 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6834

Events Queries as a Sensor

In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).
In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources.

Requirements:

  • SGBox version 5.3.0
  • Pattern must belong to specific class.

Scenario:

  • You detect a suspicious events has been repeated lot of time and you want send an alert

Replace a Sensor with Events Queries

On From field: select the class and the event.
Replace a Sensor with Events Queries

Replace a Sensor with Events Queries

write in the Select field the following string:
$PARAM:[SourceIP] as SourceIP, count() as count

Replace a Sensor with Events Queries

Replace a Sensor with Events Queries

write in the Finally field the following string:
group by SourceIP having count() >= 5

Replace a Sensor with Events Queries

A the end you can Test your query.
Replace a Sensor with Events Queries

After configured your query you can choose the TimeInterval  and the Actions

  • TimeInterval: the period of time (in minutes) where the events occur. If we choose 1 the in the previous example it means: 5 unix logon fail in 1 minutes
  • Action: What the system do if this query is verified: send an email, generate an event, add a parameter to a list

Replace a Sensor with Events Queries

Send an email
Replace a Sensor with Events Queries

Generate an event
Remember that you need to map the SQL variables with a specific SGBox parameter. Replace a Sensor with Events Queries

Add parameter to a list
Remember that you need to specify a list and the parameter you want to add to the list.
Replace a Sensor with Events Queries

]]> Create a sensor https://www.sgbox.eu/en/knowledge-base/create-a-sensor/ Thu, 08 Apr 2021 16:44:54 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6262

The Sensors

A sensor can be used alternatively to correlation rule (see this section) when the number of occurrences is high.
Sensors detect when a large number of events repeating in a time interval and alert the admin when a specific threshold exceeded. Sensor in the other hand is less flexible than a correlation rule.

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Sensors
Create a sensor

Clink on New Sensor
Create a sensor

On the left section,tab Events, find the interested events and drag it in correct section on the right.
The next step is configure the Action. Search it on Actions tab and drag it on the correct section. We choose Send Email.
It’s important also define a Timeout. Timeout is the maximum time ( in seconds ) between of the first and the last occurrence of the event. In the sensor you need also to specify the number of Occurrences.

Create a sensor

You can assign the DISTINCT flag to a parameter in order to search the number of occurrences for that value.
In our case, the sensor send an alert when: 10 logon fail occur from the same TargetUserName within 300 seconds.

Create a sensor

For the event it is possible specify this operators.

  • CNT: Total number for the specified parameter.
  • DISTINCT: Total number for each specified parameter.

Click on Save to finish the wizard.
Give a name, description, and click on Active flag to enable it.

]]> Multiple events correlation rule https://www.sgbox.eu/en/knowledge-base/multiple-events-correlation-rule/ Thu, 08 Apr 2021 10:26:39 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=6250

The multi-events correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a multi-events rule following requirements are needed:

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules
Multiple events correlation rule

Clink on New Rule

Multiple events correlation rule

On the left section,tab Events, find the interested events and drag it in correct section on the right.

Multiple events correlation rule

Timeout is the maximum time between the fist and last event.
In this case rule has been verified if: at least three login fail happen within 300 seconds.

You can make the rule more specif by connect some parameters between the events:
Selecting the down arrow the events menu is shown, you can select the Previous Host option in order to tell SGBox that second event must be occur on the same host as previous.
Select in the Relative column to connect the parameter between events.
In this case the second event’s TargetUserName must be the same as first event’s TargetUserName.
Multiple events correlation rule

We tell SGBox also that:

  • the third event must be occur on the same host as second
  • third event’s TargetUserName must be the same as second event’s TargetUserName

Multiple events correlation rule

Click on Save to save the rule.
Give a name, description, and click on Active flag to enable it.

]]> Telegram BOT https://www.sgbox.eu/en/knowledge-base/telegram-bot/ Wed, 15 Jan 2020 14:38:11 +0000 http://10.253.1.91/?post_type=epkb_post_type_1&p=2967 Configure SGBox to use Telgram API in LCE Module and send alert messages

This articles explain how to configure SGBox to interact with Telegram API in order to send alert messages when a specific event occur.

Requirements:

  • SGBox version 4.2.4 with the LM and LCE modules.
  • A Telegram BOT.

There are many tutorial about how to configure a Telegram BOT. We choose @BotFather for our example.
First you need to create your bot and obtain your TOKEN:

Telegram BOT

Telegram BOT

A token is something like: 1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1.
You need also a the chat_id, so: start and say “Hello” to your bot, than retrieve the chat id:
Telegram BOT

From your browser go to:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/getupdates

Find the ID in the response:
Telegram BOT
id: 124229696

Once created tbe bot, you can go on SGBOX > LCE > Rules > New Rule.
We choose the event [SGBox] Logon OK for our test, but you can choose every event you want. The related action is Call API.
Specify the Telegram API with your TOKEN:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/sendMessage -d chat_id=124229696 -d text="New SGBox Logon"
Telegram BOT

Click Save and give a name to your rule.

If you wan you can also specify a parameter in your message:
https://api.telegram.org/bot1148120703:AbIUGpERusdQDEEag_EL1KDtynRB9sIhbj1/sendMessage -d chat_id=124229696 -d text="SGBox Logon from "
Telegram BOT

When a logon occur, a message will sent from your bot:
Telegram BOT

]]> Create a correlation rule https://www.sgbox.eu/en/knowledge-base/create-a-correlation-rule/ Fri, 28 Jun 2019 15:37:51 +0000 https://10.253.1.90/sgbox/EN/?post_type=epkb_post_type_1&p=1684

The correlation rules

A correlation rule is used to alert the admin when an event, or a series of events, occur in a specified time range.
In order to create a new simple rule you have to:

Requirements:

  • A mail server must be configured. Look Configure a Mail server section to see how to configure a mail server.
  • Pattern must belong to specific class.

Using the SGBox web interface: SGBOX > LCE > Rules
Create a correlation rule

Clink on New RuleCreate a correlation rule

On the left section,tab Ranges, find the interested time range and drag it in correct section on the right.Create a correlation rule

The same for Events tab.Create a correlation rule

The next step is configure the Action. Search it on Actions tab and drag it on the correct section. We choose Send Email.
It’s important also define a Timeout. Timeout is the maximum time ( in seconds ) between of the first and the last occurrence of the event. If there are only one event we can set timeout to “1”.Create a correlation rule

Click on Save to finish the wizard.
Give a name, description, and click on Active flag to enable it.

]]>