How does Classification work?

Due to the diversity of architectures and log-message formats employed by Log Sources, IT professionals have long had difficulty extracting useful information from log messages and configuring related systems for interoperability. To resolve this problem, the MITRE Corporation developed the Common Event Expression (CEE) Architecture. The CEE defines standards for the structure, composition, and transport of log messages (known as 'event records' in the CEE standard). With the CEE initiative, the MITRE Corporation aims to enhance the accessibility and usefulness of log data, while also improving the efficiency of log-message collection, correlation, and reporting.

The CEE Architecture consists of the following components.

The CEE Dictionary and Event Taxonomy (CDET) provides common descriptions for the classification of log messages. The CDET consists of metadata tags that may be used to categorize log messages based on the attributes of related events (for example, the user account that attempted a failed login recorded by a log message, or the system on which the login attempt occurred).

The Common Event Log Recommendations (CELR) specifies the events for which Log Sources should generate log messages.

The Common Log Syntax (CLS) defines the CEE-compatible fields that may be included in log messages generated by Log Sources, as well as the syntax of values in each field (for example, a date or numeric format).

The Common Log Transport (CLT) provides the log-transport framework for CEE, which ensures the integrity and conformance of communicated log messages.

TLC supports the CEE Dictionary and Event Taxonomy (CDET) by providing a collection of pre-defined Classification Tags and Tag Sets, as well as the ability for users to create custom Tags of their own. Classification is the process of categorizing log messages with Tags. When a collected log message is indexed in the Audit Logger Index, TLC will associate the message with a Classification Tag if the following conditions are satisfied: 

The Tag is assigned to the Classification tab in the properties of a Normalization Rule (see How does Log-Message Normalization work?),

The message contains the string specified by the rule's Quick Match field, and

The Collector with which the message was gathered is specified in the rule's Collector Type drop-down.

Consequently, you can search for log messages with specified Tags in the Audit Logger, and compile related Reports about the messages with those Tag associations. (For further details about these Normalization Rule properties, see Table 87.)

Note 

If a log message fails to satisfy these criteria, TLC assigns the 'Unclassified' Classification Tag to the message. 

Table 27 describes the Tags in each Tripwire-defined Classification Tag Set. At minimum, the CEE working group recommends that each log message be assigned an Object tag, an Action tag, and a Status tag (OAS). With these tags, each log message will have a meaningful, unambiguous descriptor of the activity that triggered the creation of the log message.

Table 27. Tripwire-defined Classification Tag Sets

Tag Set

Includes Tags that ...

Object

... identify the user, application, process, or object that initiated the event reported by a log message.

Action

... indicate the activity in which the Object engaged.

Status

... signify the result of the Action.

Attack Type

... indicate the method of attack in those events identified as an attack.

Device Type

... specifies a category of Log Source.

Note 

Normalization Rules created in previous versions of TLC do not have Classification Tags. In addition, some Tripwire-defined rules lack Classification Tags. Created by Tripwire, these default rules can normalize multiple types of log messages for the same type of Log Source. For example, the Windows - Event rule in the Snare Normalization Rule Group normalizes Windows log messages relayed by InterSect Snare products. However, no Classification Tags are assigned to this rule. When TLC uses the rule to normalize a log message, the message is automatically normalized a second time by any applicable rules in the Windows Normalization Rule Group, and TLC applies any Classification Tags assigned to the Windows rules.

Example: Classifying Successful Logons

The contents of log messages can vary widely between Log Sources. For instance, Figure 35 presents a collection of log messages from different Log Sources for the same logon event. While the Windows log message refers to this event as a "logon," the Cisco message reports a "login" event, and the Ubuntu message simply declares a "session opened." In addition, the Apple, Snort, and Ubuntu messages treat the logon as a single, discrete event, while the Microsoft message parses the process into multiple events: 

1. The entry of user credentials (i.e. a username and password),
2. Authentication, and
3. The creation of a user session.

Figure 35.  Log messages for the same logon event (click to enlarge)

Log messages for the same logon event

To help you keep track of all successful logon attempts, Tripwire assigned the following Classification Tags to all Tripwire-defined Normalization Rules that normalize log messages created for successful logons: 

Object > Account

Action > Logon

Status > Success

Collectively, the Tags indicate that a log message reflects a successful logon attempt by a user account.

Note 

Each of these rules also has a Device Type Tag indicating the type of Log Source. However, none of these rules have an Attack Type Tag since a successful logon is not considered an attack (i.e. a malicious activity).

If TLC indexes a message, and a Normalization Rule satisfies the classification criteria, TLC associates the rule's Classification Tags with the log message when the message is added to the Audit Logger Index. To query TLC for log messages associated with all three of these Tags, enter the following string in the Classification Tags field in the Search tab of the Audit Logger (see Working with Audit Logger Queries):

User Logon Success

To query TLC for log messages that have at least one of these Tags, enter: 

User | Logon | Success

For further details about CEE, see cee.mitre.org.

For more information about Classification Tags in TLC, see:

Example: Classifying Successful Logons

Working with Classification Tags

Working with Classification Tag Sets

Assigning Classification Tags to a Normalization Rule