The STAR Rules Engine is one of five detection engines that work together as part of our cloud workload protection platform ( CWPP ) to detect, block, and respond to runtime threats that affect clouds workloads. This is the fifth installment in our Detection Engine blog series. ( The Static AI, Behavioral AI; Application Control; and Cloud Threat Intelligence Engines are covered in the first, second, third, and fourth posts of the series, respectively. )
101 STAR Rules Engine
Millions of security telemetry events can be produced every day by cloud workloads. Finding indicators of compromise ( IOCs ) hidden deep within that security data lake requires an automated method for security teams.
Users can convert queries from cloud workload telemetry into automated threat hunting rules using the STAR Rules Engine, a rules-based engine. These unique rules set off alerts and, if necessary, automated response actions whenever a match is made. In this way, security teams can use STAR rules as a force multiplier to take quick, scaled-up action in the face of an ever-changing threat environment.
What Is It Like?
Every agent in the customer’s fleet or a subset is immediately pushed to use the custom detection logic provided by STAR rules, which is up to the client. The requirements of the organization can be met by tailoring each rule. Users can decide whether to only receive alerts or to use mitigating measures like matching process kill, network quarantine, and others. Based on policy settings, SentinelOne provides automatic mitigation options for levels of suspicious or malicious threat confidence.
An alert is sent out in almost real time when a STAR rule matches inbound telemetry from the CWPP agent to the Singularity Data Lake. The agent executes the response on the StorylineTM connected to the telemetry event that resulted in the match if there is a response action required by the rule. To keep security professionals informed, STAR alerts can be found in the Activity log and the management console’s Alerts section. The Threats section prominently displays threats, giving a thorough overview of those that have been found.
A STAR Rule is Being Created
Any number of 200+ telemetry attributes can be used to create STAR rules. Even though it might seem difficult, making a rule can be accomplished in 4 simple steps and significantly boost SOC productivity.
Write a query in STEP 1.
Writing a singularity data lake query is the first step. The skill of your threat-hunting expertise is represented in this section. This step will be particularly simple for Purple AI‘s early users because the GenAI enables automatic translation of natural language queries into the proper SDL syntax.
To your paste buffer, copy the syntax of this query:
event.type == "File Modification" AND endpoint.os == "linux" AND tgt.file.path == "/etc/passwd"
Create a New Star Rule in STEP2.
Next, select” New Rule” after clicking” Star Custom Rules.” Give the rule a specific name, description, and level of severity. To access the rule condition, click” Next.”
Paste the Step 1 query syntax into the rule after creating an appropriate scope. Select” Next.”
Add Response Actions in STEP3.
What do you want to do, in essence, if a threat query matches your rule? Do you think the detection poses a threat that is malicious or suspicious? If so, select the appropriate options, such as” Suspicious Threat Policy” or” Malicious Risk Policy,” by checking the box” Treat as a Threat.” The policy established for the agent’s scope governs the automated response action. Select” Next.”
Save the Rule in STEP 4.
Review the rule details in the Summary window. Tick the” Active rule immediately after saving” box if you want the rule to take effect right away. Click” Submit” if everything appears to be in order.
Great if making a rule seems easy. The goal is to do that. By going to Sentinels on the left navigation pane and choosing the STAR CUSTOM RULES tab, as shown below, you can access a list of your custom rules within the management console for SentainelOne. The recently developed rule, “JM- Detect passwd changes,” is located here. When we look at an example detection later in the blog, we’ll bring up this rule.
STAR Rules Best Practices
Singularity Complete customers have the option to buy additional rules in packs of 300 up to a maximum of 1000 STAR rules per customer, in addition to their unlimited use of 100 Star rules.
Organizations should adhere to the following best practices in order to maximize the effectiveness of STAR rules:
- Tune Queries for Accuracy: To create a specific and pertinent list of true-positive matches, make sure to fine-tune your queries. As a result, alerts are directed at threats that can be taken action. For instance, you could increase the rules ‘ search parameters or shorten the time frame if a query produces hundreds of results.
- Save Queries as Custom Rules: To enable automated response and continuous monitoring, convert successful queries into custom rules.
- Iterative Rule Refinement: After a STAR rule has been running for some time, look into any alerts it has generated ( i .e., matches ). To make the final match laser-focused on the particular condition you want, modify the rule to further focus the results based on feedback and analysis. The best threat detection is ensured by this iterative strategy.
- Automated Mitigation: To automatically mitigate identified threats, choose an Auto Response after your rule has been finely tuned and the results have met your expectations. For your particular use case, this proactive approach achieves individualized, quick cloud threat detection and response.
Organizations can fully utilize SentinelOne’s STAR rules by adhering to these best practices.
STAR Rule Detecting a Change to, for instance/etc/passwd
Earlier we created a STAR rule, “JM-Detect passwd changes”, which triggers a ‘Suspicious’ alert anytime a file modification was made on a Linux VM’s /etc/passwd file path. Now that the rule has been created, its custom detection logic is pushed to all CWPP agents within the scope.
Looking at the Incidents panel, we see two detections labelled ‘Suspcious’, one made by the STAR rule and which relates to a bash script.
By clicking on the incident, we see expanded details. Here, a threat actor ran a bash script which began by escalating privileges via the sudo command, the originating process. The STAR rule detected a change to the VM’s passwd file.
Remember that the Incident Status is marked as Unresolved or NOT MITIGATED because the rule was designed to use the Suspicious Threat Policy, which is Detect Mode. The response action would have been automated, freeing up the overworked security analyst, had the Malicious Threat Policy’s rule been invoked and the policy been set to take a mitigating action ( such as process kill ).
Once more, we pause to emphasize the careful consideration that went into selecting an automated response action. You have the power and flexibility. A potent, transformative mechanism for improving cloud security results is the combination of agent and agentless security capabilities.
The security analyst would then undoubtedly start a mitigation action, which is simple to do from the SentinelOne management console’s” Actions” button in the upper right corner of the Incidents pane. They would probably also create a security ticket, record their findings and deeds, and let the DevOps owner know about this LinuxVM.
Conclusion
The STAR Rules Engine, one of five engines in SentinelOne’s real-time CWPP solution, optionally automates prescriptive response action and sends alerts on custom logic matching of security telemetry. The cloud security operations team gains strength from the STAR Rules Engine in this way. It collaborates with other local engines to provide real-time cloud threat detection and response that far outperforms agentless CWPP’s constrained capabilities.
Visit the solution homepage to learn more about the benefits of real-time, AI-powered CWPP in your cloud security stack, or take a 2-minute guided walk-through to see how Singularity Cloud Workload Security functions. For a customized demo whenever you’re ready, get in touch with one of our cloud security specialists.