Home  >  APT29  >  Results  >  HanSight  >  Configuration

HanSight Configuration

Description

HanSight Enterprise SIEM – A next-generation SIEM platform that enables security teams to accurately detect and prioritize threats across the enterprise network. It provides intelligent insights that guide security teams to respond quickly to reduce the impact of incidents.

Product Architecture

The HanSight Enterprise SIEM inherits a modern SIEM architecture, which accelerates the threat management process through a well-vetted big data platform, a flexible data collection module, a blend of analytics methods, and a streamlined incident management workflow.

Data Collection

The data collection module is able to make data sources onboard fast for threat detection and analytics. In our APT Eval test, it ingested the ETW, Windows Event Log, Sysmon and AMSI log types. When we needed to adjust the endpoint telemetry, we could simply change the endpoint sensor configuration file.

Flexible Correlation Engine

To combat advanced threats, the HanSight Enterprise SIEM employs cross-generation analytics techniques, including signature match, threat intelligence, correlation rules, and ML/AI-based anomaly detection. In the Eval test, most of the fired alerts came from detections by correlation rules or the ML engine.

The correlation engine (aka “SAE engine”) can perform correlation analysis across devices and attack stages to guarantee high-fidelity alerts with low false positives. It also supports chaining interrelated detections by the Boolean operators (AND/OR/NOT) and sequence operators (FOLLOW BY, WITHIN) to form complex logic. For example, in the Eval test to detect “Abnormal Powershell executes potential attack”, we correlated the data sources from both SysMon & ETW and used the Follow_By template to do cross-stage correlation.

The ML-based advanced analytics also plays an integral role in detecting advanced threats. For example, we leveraged SVM (ML in lab) to generate detection models for DNS tunneling. In the case of fileless attack detection, we used both the CNN + LSTM ML engines to detect anomalous PowerShell.

HQL (HanSight Query Language)

The HanSight Query Language is an interactive threat hunting/investigation tool developed on ad-hoc search. The query language syntax supports Linux pipeline and SQL with over 20 commands. Its powerful search capability, with easy-to-use features such as auto-completion, has greatly helped us in the Eval test to identify relevant telemetry and alerts/incidents, benefitting not only the on-site teams but also the MSSP teams

For more information about the HanSight Enterprise SIEM, visit the website at https://en.hansight.com/

Product Configuration

We use Sysmon v10.41. Attached is the configuration file. Below is the summary of captured event. We also configured blacklist/whitelist for each event, total number is greater than 1000.
Event ID 1 == Process Creation
Event ID 2 == File Creation Time
Event ID 3 == Network Connection
Event ID 5 == Process Terminated
Event ID 6 == Driver Loaded
Event ID 7 == Image Loaded
Event ID 8 == CreateRemoteThread
Event ID 9 == RawAccessRead
Event ID 10 == ProcessAccess
Event ID 11 == FileCreate
Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed
Event ID 15 == FileStream Created
Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected
Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity