Correlation is a must for SIEM solutions. But, the detection capabilities of the SIEM products available are very different from each other. One of these differences is the operators that SIEM products support. Why are these operators important? The CVE-2020–1472 vulnerability in the Netlogon protocol, aka Zerologon, allows attackers to hijack Microsoft Domain Controller / Domain Servers. If we need to detect this attack, we need to correlate the following two events occurring at the same time:
- Event ID: 5805
- Type: System
A computer account was changed
- Event ID: 4742
- Type: Security
- Source User Name: Anonymous Logon
Where the computer account from the event 4742 equals to the device host name from the event 5805.
In this rule, we need the “at the same time” operator. If you do not have a product such as SureLog with this operator, this time you will have to apply circling methods to detect it. Also, in all cases, you may not be able to get around an operator. If your system generates alarms with automatic calls in certain periods, this rule will also require serious resources.
There are many operators that can be found in all SIEM products. Examples of operators not in every SIEM product: “After”, “Before”, “At the same time”.
For more detailed information on correlation, see the following articles.
The Math of SIEM Comparison.
There are many comparisons and scoring reports like Gartner. But a small part of their scoring is technical capacity…
What Really Matters When Selecting a SIEM and How to Choose a SIEM Looking into the Correlation?
Part of the SIEM problems enterprises face is failing to maintain it with the proper correlation rules.
Comparison of Detection Methodologies in SIEM. Correlation and Search.
In some cases, it is questionable if the correlation is really necessary. Without automated correlation and alert…
Comparing Detection Capabilities of SIEM Solutions with Their Costs
The proper use of SIEM supports multiple security purposes, including:
SIEM Correlation Rules To Evaluate The Power Of Detection — Correlation Engine
A SIEM’s power is in its correlation. %80 percent of SIEM is the correlation. if you are spending 80 percent of your…