Home >
Enterprise >
Participants >
HanSight > APT29 Configuration
|
HanSight Configuration
Description
HanSight Enterprise SIEM – A next-generation SIEM platform that enables security teams to accurately detect and prioritize threats across the enterprise network. It provides intelligent insights that guide security teams to respond quickly to reduce the impact of incidents.
Product Architecture

Data Collection

Flexible Correlation Engine
To combat advanced threats, the HanSight Enterprise SIEM employs cross-generation analytics techniques, including signature match, threat intelligence, correlation rules, and ML/AI-based anomaly detection. In the Eval test, most of the fired alerts came from detections by correlation rules or the ML engine.
The correlation engine (aka “SAE engine”) can perform correlation analysis across devices and attack stages to guarantee high-fidelity alerts with low false positives. It also supports chaining interrelated detections by the Boolean operators (AND/OR/NOT) and sequence operators (FOLLOW BY, WITHIN) to form complex logic. For example, in the Eval test to detect “Abnormal Powershell executes potential attack”, we correlated the data sources from both SysMon & ETW and used the Follow_By template to do cross-stage correlation.
The ML-based advanced analytics also plays an integral role in detecting advanced threats. For example, we leveraged SVM (ML in lab) to generate detection models for DNS tunneling. In the case of fileless attack detection, we used both the CNN + LSTM ML engines to detect anomalous PowerShell.
HQL (HanSight Query Language)
The HanSight Query Language is an interactive threat hunting/investigation tool developed on ad-hoc search. The query language syntax supports Linux pipeline and SQL with over 20 commands. Its powerful search capability, with easy-to-use features such as auto-completion, has greatly helped us in the Eval test to identify relevant telemetry and alerts/incidents, benefitting not only the on-site teams but also the MSSP teams
For more information about the HanSight Enterprise SIEM, visit the website at https://en.hansight.com/
Product Configuration
We use Sysmon v10.41. Attached is the configuration file. Below is the summary of captured event. We also configured blacklist/whitelist for each event, total number is greater than 1000.
Event ID 1 == Process Creation
Event ID 2 == File Creation Time
Event ID 3 == Network Connection
Event ID 5 == Process Terminated
Event ID 6 == Driver Loaded
Event ID 7 == Image Loaded
Event ID 8 == CreateRemoteThread
Event ID 9 == RawAccessRead
Event ID 10 == ProcessAccess
Event ID 11 == FileCreate
Event ID 12,13,14 == RegObject added/deleted, RegValue Set, RegObject Renamed
Event ID 15 == FileStream Created
Event ID 17,18 == PipeEvent. Log Named pipe created & Named pipe connected
Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity