<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">

How to Prioritize Event IDs in Exabeam and USM Anywhere

Blog

July 7, 2022

Categorizing event severity is critical to successfully managing your information security capabilities. 

 

It’s a basic fact – some threats are simply more urgent than others. 

Many organizations have security information and event management (SIEM) platforms that simply deliver alerts as they’re generated. This chronological approach makes sense in a low-volume situation, but it quickly breaks down as the number of alerts rises. 

Security professionals should not have to sift through hundreds of low-severity alerts before addressing high-impact critical vulnerabilities. This slows down incident response and gets in the way of operational efficiency. It heightens security risks without providing clear benefits. 

This is why modern SIEM platforms allow security professionals to prioritize event IDs and push urgent threats to the top of their feed. This lets analysts investigate the most suspicious activities first, potentially blocking cyberattacks earlier in the kill chain than otherwise possible. 

📊 Learn more 

Understanding the Cyber Kill Chain

Get started.

However, every SIEM platform works a little differently. Both Exabeam and USM Anywhere users can prioritize specific event IDs and fast-track the resolution of critical vulnerabilities in different ways. 

 

Understanding Your Event Priority Framework 

There is no one-size-fits-all solution to prioritizing security events. Security analysts need to be able to prioritize specific event types according to the unique needs of the organization itself. These priorities may change depending on the organization, role, and scenario under consideration. Experienced analysts may have personal preferences that aren’t part of any standard operating procedure. 

As a result, your organization's event priority framework is a flexible, customizable policy. It normalizes incoming event data into numeric values and expresses those values as factors, which combine to create a final event prioritization value. 

Individual servers and user accounts do not operate in isolation. Some parts of your network infrastructure are more sensitive than others. A well-structured event priority framework takes these facts into consideration through multiple factors. 

  • Event Impact. This metric corresponds to the impact of a particular security event independently of the host or system it effects. 
  • Host Importance. This metric refers to the confidentiality, integrity, and availability of specific network entities. It takes their connectivity to other network hosts into account. 
  • Comprehensive Event Effect. This metric combines the event impact with the host importance rating of specific network infrastructure. It changes depending on how sensitive the targeted host is. 
  • Event Propagability. Some threats move faster through networks than others. This metric captures the speed and ease with which a particular event can spread through a network. 
  • Event Clustering. Security incidents don’t happen randomly. They are often targeted and synchronized so that multiple exploits occur at once. This metric captures the ability for multiple targeted attacks to cause greater damage than each individual exploit taken on its own. 
  • Event Priority Value. This metric combines the Comprehensive Event Effect with its Event Propagability and Event Clustering modifiers to create a single figure that represents the severity of the threat. 

 

How to Prioritize Event IDs in Exabeam in Windows 

Exabeam leverages log data to identify events that may constitute security incidents. Endpoint logs that come from laptops, phones, and other devices are an important part of this equation. Windows administrators can use Event Viewer to access and view security logs covering nine different categories: 

  • Account logon events 
  • Account management 
  • Directory service access 
  • Logon events 
  • Object access 
  • Policy change 
  • Privilege use 
  • Process tracking 
  • System events 

Some of the most common event codes used by Windows administrators when conducting security investigations include: 

Event ID 

What it means 

4624 

Successful log on 

4625 

Failed log on 

4634 

Account log off 

4648 

Log on attempt with explicit credentials 

4719 

System audit policy change 

4964 

Special group assigned to new log on attempt 

1102 

Audit log cleared 

4720 

New user account created 

4722 

User account enabled 

4723 

Attempt to change password 

4725 

User account disabled 

4728 

User added to privileged global group 

4732 

User added to privileged local group 

4756 

User was added to privileged universal group 

4738 

Change to user account 

4740 

User locked out of an account 

4767 

User account unlocked 

4735 

Change to privileged local group 

4737 

Change to privileged global group 

4755 

Change to universal group 

4772 

Failed request for Kerberos ticket 

4777 

Domain controller failed to validate credentials 

4782 

Account password hash accessed 

4616 

System time changed 

4657 

Change to registry value 

4697 

Service install attempt 

4946 

Rule added to Windows Firewall exception 

4947 

Rule modified in Windows Firewall exception 

4950 

Windows Firewall settings change 

4954 

Change to Windows Firewall Group Policy 

5025 

Windows Firewall service stopped 

5031 

Application blocked by Windows Firewall from accepting traffic 

5155 

Windows Filtering Platform blocked a service from listening on a port 

 

How to Prioritize Events in USM Anywhere 

USM Anywhere collects and analyzes data on network activity, as well as your firewalls, routers, switches, servers, and applications. The USM Anywhere Sensor discovers assets, assesses vulnerabilities, detects threats, and monitors users to provide situational awareness to security analysts. 

To view the events that USM Anywhere processes, open the Events page under the Activity menu. You’ll see a comprehensive display of events being processed and the relevant metrics being collected. Default columns include the Event Name, Time Created, OTX status, Source Asset, Destination Asset, Sensor Name, and Username associated with the event. 

Add additional columns here and drill down into individual events for more detailed analysis. You can open the Configure Filters page on the upper-left corner to change the way USM Anywhere prioritizes alerts according to ten different factors: 

  • Custom Range. You can set USM Anywhere to filter events triggered in the last hour, 24 hours, 7 days, or three months by default. You can also set a custom range to find particular events. 
  • Suppressed. Suppressed events are hidden by default. You can filter to show suppressed events here. 
  • Account Name. Filter events by the individual account that generated the event. 
  • Data Source. Filter according to the data source used to normalize the event. 
  • Event Name. Filter events that share a short, user-readable description. 
  • Source Asset. Filter events by the name of the asset that produced the event. 
  • Source User. Filter events by the name of the user that caused the event. 
  • Sensor. Filter events by the name of the USM Anywhere Sensor that detected it. 
  • Asset Groups. This field filters the asset group name or names for the event source. It only corresponds to event sources and destinations that belong to asset groups. 
  • Username. Filter events by the username associated with the asset that generated the event. 

 

Use Custom Event Prioritization to Improve Incident Response 

The ability to customize the way your SIEM handles security events is an important strategic advantage in today’s security landscape. Castra's expertise can help you identify which event types need the highest priority ranking according to your organization’s unique risk profile.

 

Speak to an information security expert about improving your organization’s event prioritization framework to find out more.