SIEM Correlation Rules To Evaluate The Power Of Detection — Correlation Engine

A SIEM’s power is in its correlation. %80 percent of SIEM is the correlation. if you are spending 80 percent of your time within a SIEM tool doing alert review and analysis, then you are on the right track. [SANS Your SIEM Questions Answered] [1].

Prevention is better than a cure. Thus, you must try your best to prevent a data breach [2].

The power of correlation distinguishes the power of SIEM solutions. Most of the time, it is hard to distinguish the power of SIEM solutions, and users rely on marketing and advertisement activities. Correlation is the key feature to evaluate the power of SIEM solutions [3].

To enable easy evaluation of correlation engine power of SIEM solutions, an example of two rules:

1. If the same IP logs on to the Linux server and then logs on to the Windows server and then service is turned on / off on either server, detect.
2. If the same user has failed logon attempts on two different machines within fifteen minutes, and within five minutes after the second unsuccessful session, one of these machines requests IP access to the threat intelligence list, detect.

Those rules aim to evaluate the correlation engine of the SIEM solutions, so rules modified according to this target.

SureLog SIEM Implementation

Rule 1:

Surelog Implementation of Rule 1

Rule 2:

Surelog Implementation of Rule 2

References

1-https://www.peerlyst.com/posts/do-we-need-a-buzzword-to-re-understand-the-value-of-the-siem-correlation-ertugrul-akbas

2-https://www.peerlyst.com/posts/comparison-of-detection-methodologies-in-siem-correlation-and-search-ertugrul-akbas

3-https://www.peerlyst.com/posts/is-siem-correlation-or-rules-are-useless-ertugrul-akbas