Open in app

Sign in

Write

Sign in

What Really Matters When Selecting a SIEM and How to Choose a SIEM Looking into the Correlation?

Ertugrul Akbas
7 min readMar 13, 2020

--

Part of the SIEM problems enterprises face is failing to maintain it with the proper correlation rules.

SIEM use cases or rules are the %80 of the value of the product. All SIEM solutions have a correlation feature, but they are not the same. Before choosing a SIEM, you must check correlation capabilities. Each product has many different features and their advantages and limits.

Some examples of correlation limits from product user guides and product’s web sites.

AlienVault:

AlienVault is a great product and combines many open source tools like vulnerability scanner and asset manager. There are some limits on correlations like:

“Cross-Correlation can only run on (just) IPS and Vulnerability Scanner logs and the combining on just IP addresses”.

“AlienVault uses 4,500 built-in “correlation directives” for threat correlation and most them are just for AlienVault NIDS”.

LogPoint:

There is a limit on list management. Dynamic List usage in correlation rules is not supported in AlienVault.

ManageEngine:

Also keep in mind that AlienVault correlation engine has sticky diff restrictions.

LogPoint is a great tool and listed in Gartner in 2020. LogPoint user guide has details about alerts. Use case development is only available with developing a search query.

ManageEngine EventAnalyzer SIEM is a good product and has many fantastic reporting features. When it comes to correlaton, ManageEngine EventAnalyzer SIEM does not parse Firewall Traffic, IPS, Proxy etc logs. Just configuration and authentication logs. So correlation rules cannot include Firewall Traffic, IPS, Proxy etc. details.

ManageEngine EventAnalyzer SIEM has predefined rule templates. So you cannot create a rule from scratch. You have to select one predefined rule from templates.

Examples of other limits:

There is no capability to develop your own rule. You have to use available templates.

Eventlog analyzer correlation has only one operator “Fallowed by Within”. Many operators are missing like “Not Fallowed by Within”.

Eventlog has many missing operators like:

  • Matches,
  • Not Maches,
  • Is null,
  • Is not null,
  • IP Range Equals,
  • IP Range Not Equals,
  • In list,
  • Not in list,
  • Starts with in list,
  • Starts with in list case insensitive,
  • Not starts with in list,
  • Not starts with in list case insensitive,
  • Contains list key in data,
  • Not contains string in list,
  • Not contains string in list case insensitive,
  • Is contained in string,
  • Regex in list,
  • Check data in regex list,
  • Contains in list,
  • Not contains in list,
  • Contains credit card number,

There is no way to use dynamic and static lists in correlation.

Solarwinds SIEM:

There is no way to use output of one correlation as an input to the new correlation rule.

There are column restrictions in correlation. You cannot use all the available columns in reports.

Solarwinds SIEM is a good product and has many good features. When it comes to correlation:

Solarwinds LEM does not use all the report fields on correlation. Also correlation cannot fire on raw log data that is received

Solarwinds LEM documents mention some other correlation limits.. For example you cannot create a rule using “NOT FALLOWED BY” operator.

Only AND, OR Operator supported. NOT Operator is not supported.

Solarwinds does not support creating scenarios based on multiple rules.

Threshold rules are very limited. For example, you cannot create a rule like: If you want to check whether there are 5 events from Host Firewalls with severity 4 or greater in 10 minutes between the same source and same destination IP

Dynamic list updates through actions are missing

Linking multiple rule fields is missing

Splunk:

“Group By” is not supported

You should also check system requirements and performance limits up to 5000 rule execution per day

If you think about SIEM, you have to consider Splunk ES. Splunk Core/Enterprise is not a SIEM product. Splunk is a great product. Splunk says that:

McAfee:

“Each realtime search unpreemptively locks 1 core on EVERY INDEXER and on your Search Head” .

Also, there is no functional real time detection.

McAfee SIEM is a powerful SIEM. If you want to dig into correlation details, you will see some comments on the McAfee SIEM blog like:

If use case has many rules for example 5 rules, currently McAfee have got only 1 of this 5 source event’s custom types in use case.

There are some limits on correlation fields:

The only way is with the API

No case insenstive option when using watchlists.

if I see a user attempt to login to our VPN from two different “regions” within a three-hour window.

Non-Supported rule types: Rule chain:

I have the logic built but in the correlation rules “Advanced Options” I try to set a ‘Distinct values’ of 2

Threshold rules:

but the monitored fields only seems to provide a ‘Source Geo location’ option, and not ability to select state, region, country, etc.

if a firewall admin login has occurred and after this login action there is n configuration change immediately (within 15 minutes) but if there is a change in the firewall within 12 hours, notify

destination IP is 1.1.1.1 and destination port is 389 and sent_bytes > 100000 (total) in time frame of 10 minutes and group by source IP.

I want to know how many SQL injection attack events from a single IP for 5 minutes. I know that I can set a threshold. But I want to know the exact number.

How to Choose a SIEM Looking into the Correlation?

If the correlation is important, you may consider reading technical documents. Some remarkable examples of limits and notifications are given above. There are many other SIEM solutions like IBM Qradar, Arcsight, FortiSIEM, SureLog, RSA, LogRhytm. You have to check what the product user guides and technical documents say in detail about correlation.

Correlation and detection capability is important. In order to choose a SIEM according to correlation capabilities you should also check if those use cases supported:

  • Warn if Powershell command with base64 format and more than 100 characters appears
  • Password changes for the same user more than 3 within 45 days
  • If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
  • Misuse of an account
  • Lateral movement
  • Executive only asset accessed by non-executive user
  • Multiple vpn accounts failed login from single ip
  • First access to critical assets
  • User access from multiple hosts
  • User account created and deleted in a short period of time
  • Monitor privileged accounts for suspicious activity
  • Chained RDP connections
  • RDP with unusual charset
  • Multiple RDP from same host in short time
  • Lateral movement following an attack
  • Returns days where a user accessed more than his 95th percentile number of assets
  • Look for a user whose HTTP to DNS protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week
  • If a user number of failed authentication ratio to number of successful authentication is %10, alert
  • Data loss detection by monitoring all endpoints for an abnormal volume of data egress
  • Measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade
  • DGA detection
  • Detect attack Tools
  • Detect malwares
  • Detect suspicious/malicious processes
  • Detect suspicious/malicious files
  • Detect suspicious/malicious services
  • Detect abnormal port used in outbound network connection from an asset
  • Abnormal number of assets logged on
  • Failed logon to an asset that a user has previously never logged on to
  • first time a user saves files to a USB drive
  • first time user is performing an activity from a country
  • First VPN connection from a device for a user
  • First connection from a source IP
  • First access to a device for a user
  • First access to database MSSQL for peer group HR
  • First access to database MSSQL for user
  • First mail to/from a domain for the organization
  • First access to this web domain which has been identified as risky by a reputation feed
  • First execution of a process on a host
  • First access to object fdghsdydhas
  • First access from a host to a database for a user
  • First access from source zone Atlanta office to a database for a user
  • Suspicious temporary account activity
  • Abnormal account administration
  • Unusual account privilege escalation
  • Unusual file modifications
  • Abnormal password activity

Originally published at https://www.peerlyst.com on March 13, 2020.

Siem
Correlation
Threat Hunting
Detection
Surelog

--

--

Ertugrul Akbas
Ertugrul Akbas

Written by Ertugrul Akbas

460 Followers
8 Following

Entrepreneur,Security Analyst,Research.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams