Up
Previous Next

Sheriff CSM™

Correlation Directives

Sheriff CSM provides over 4,500 built-in directives and adds more every week through the AT&T Alien Labs™ Threat Intelligence Update. The directives are grouped into different categories.

Sheriff CSM correlation directive categories
Category Name Explanation Example
User Contributed A placeholder for user created and/or modified directives. By default, this category is empty.
Sheriff Attacks Directives to detect various attacks against vulnerable services and applications. AV Attacks, Successful OpenSSL HeartBeat attack
Sheriff BruteForce Directives to detect brute force attacks on services that require authentication. AV Bruteforce attack, SSH authentication attack against DST_IP (destination IP)
Sheriff DoS Directives that detect Denial of Service (DoS) attacks on different applications and services. AV Service attack, successful denial of service against IIS web server on DST_IP (MS07-041)
Sheriff Malware Directives to detect malware. AV Malware, botnet Koobface activity detected on SRC_IP (source IP)
Sheriff Misc Directives to detect activities that do not fall into any other category. AV Misc, suspicious executable download from a dynamic domain on SRC_IP
Sheriff Network Directives detect network related anomalies and attacks. AV Network attack, too many dropped inbound packets from DST_IP
Sheriff Policy Directives to detect policy violations. AV Policy violation, vulnerable Java version detected on SRC_IP
Sheriff Scada Directives to detect attacks on industrial supervisory control and data acquisition (SCADA) systems. AV SCADA attack, Modbus scanning or fingerprinting against DST_IP
Sheriff Scan Directives to detect scanning activities. AV Network scan, Nmap scan against DST_IP

Sheriff CSM provides a web interface, Configuration > Threat Intelligence > Directives, for you to examine, modify, or create new correlation directives.

Directives page for managing correlation directives.

To display a directive
  1. Click the black triangle to the left of the category name.
  2. Click the black triangle to the left of the directive.
Each directive consists of the following Sheriff Vigilante Limitations: Sheriff CSM includes a faster and more robust correlation section with more complex correlation directives. Sheriff Vigilante has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.

Sheriff Vigilante Limitations: In the Sheriff Vigilante environment, the following directives are inactive
  • Sheriff DoS
  • Sheriff Network
  • Sheriff Scada
Topic revision: r8 - 14 Dec 2021, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.