--- id: normalized-threat-rules title: Normalized Threat Rules sidebar_label: Normalized Threat Rules description: Cloud SIEM's built-in threat rules pass alerts from a security product to the signal generation process, and are normalized work across multiple security products. slug: /help/docs/cse/rules/normalized-threat-rules/ canonical: https://www.sumologic.com/help/docs/cse/rules/normalized-threat-rules/ --- import useBaseUrl from '@docusaurus/useBaseUrl'; This topic has information about Cloud SIEM’s built-in normalized threat rules. To get a CSV of normalized threat rules, see [Rules - Useful CSVs](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/README.md#useful-csvs) in the [Cloud SIEM Content Catalog](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/README.md). The CSV includes information about the log mappers that participate in normalized threat rules and the data sources the rules support. ## Normalized threat rules pass alerts to Cloud SIEM The first key fact about normalized threat rules is this: they exist to process messages that describe a security event that has already occurred.  Some messages logged by a security product are the result of that product’s own detection functionality, for example, by using rule sets or signatures. Typically, such messages contain a severity, risk, or impact in the message, and can be accepted as a clear indication of nefarious activity. Essentially, a normalized threat rule passes an alert from a security product to the signal generation process.   ## Normalized threat rules support multiple log sources The second important aspect of a normalized threat rule is that, as the name implies, it supports multiple log sources.    For example, a normalized threat rule that looks for intrusions would work with multiple products that detect intrusions, such as: * Palo Alto Threat Event * Cisco Firepower IDS * Symantec Endpoint Protection Exploit Prevention/HIPS * IPS/IDS Appliances * Microsoft Graph Security API Ordinarily, rules define the log messages they’ll be applied to by specifying `metadata_vendor` and `metadata_product `in the rule expression. A normalized rule doesn’t specify these attributes. Instead, it looks at another attribute that is set during the log mapping process: `threat_ruleType`. In the log mapping process for a message type, the value of `threat_ruleType` is set  to a value that corresponds to a threat type, for example “intrusion”. Then, normalized threat rules can look for messages whose `threat_ruleType` field is “intrusion”, regardless of vendor or product. For information about mapping requirements for messages that describe security events, see [Field Mapping for Security Event Sources](/docs/cse/schema/field-mapping-security-event-sources). ## Types of normalized threat rules  There are multiple categories of normalized threat rules for different types of threats. ### intrusion For messages that indicate an intrusion has taken place These messages typically include a signature for the exploit attempted.  Log sources that issue intrusion-related messages include: * Palo Alto Threat Event * Cisco Firepower IDS * Symantec Endpoint Protection Exploit Prevention/HIPS * IPS/IDS Appliances Cloud SIEM provides the following normalized intrusion rules: * [Intrusion Scan - Targeted](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/THRESHOLD-S00514.md) - This rule looks for an intrusion product detecting an internal IP sending different exploits to another external IP in a short timeframe. * [Intrusion Sweep](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/THRESHOLD-S00515.md) - This rule looks for an intrusion product detecting an internal IP sending the same exploit to multiple internal IPs in a short timeframe. * [High Severity Intrusion Signature](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00666.md) - This rule looks for an intrusion product detecting a high severity intrusion signature sourcing from an internal IP. * [Critical Severity Intrusion Signature](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00513.md) - This rule looks for an intrusion product detecting a critical severity intrusion signature sourcing from an internal IP. * [Informational Severity Intrusion Signature](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00669.md) - This rule looks for an intrusion product detecting an informational severity intrusion signature sourcing from an internal IP. * [Low Severity Intrusion Signature](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00668.md) - This rule looks for an intrusion product detecting a low severity intrusion signature sourcing from an internal IP.  * [Medium Severity Intrusion Signature](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00667.md) - This rule looks for an intrusion product detecting a medium severity intrusion signature sourcing from an internal IP. **Requirements for Intrusion Signature rules:** The rules that detect intrusion signatures from internal IP addresses rely upon the [normalizedSeverity](/docs/cse/schema/schema-attributes) attribute in records being mapped as follows: * critical = 10 * high = 9 * medium = 2 * low = 1 * information = 0 ### malware For messages for logs that indicate malware has been detected. These typically provide a signature for the type of malware. Log sources that issue malware-related messages include: * Antivirus Appliances * Trend Micro Antivirus * Symantec Endpoint Protection Scanning/Antivirus Cloud SIEM provides the following normalized malware rules: * [Malware Outbreak](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/THRESHOLD-S00517.md) - Same malware signature on multiple hosts in a short timeframe. * [Persistent Malware Infection](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/THRESHOLD-S00520.md) - Single host with multiple malware infections with the same signature in a short timeframe. * [Malware Not Cleaned](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00518.md) - Malware the antivirus fails to clean. * [Malware Cleaned](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00519.md) - Malware the antivirus successfully cleans. * [Antivirus Ransomware Detection](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00516.md) - Malware determined to be ransomware based on the signature/virus name. ### direct For messages that indicate suspicious or malicious activity based on behavior, rather than a signature. These messages don’t usually include a signature, instead might contain the command line arguments and other actions taken by the adversary. Log sources that issue behavior-related messages include: * CrowdStrike Falcon * Symantec Endpoint Protection EDR * Carbon Black Response * AWS GuardDuty * Varonis UBA * G Suite Alert Center   Cloud SIEM provides the following normalized direct rule: * [Normalized Security Signal](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/rules/MATCH-S00402.md) - Passes through an alert from an endpoint security product and adjusts the severity accordingly based on the severity provided in the log.