[basilthiras]

What is the best way for SIEM products to Correlate data from logs ?

• This discussion was modified 3 years ago by  basilthiras.
• This discussion was modified 3 years ago by  basilthiras.

[imsanjid]

1. Normalize data between different cloud applications, unified events are super important.
2. Examine system wide events, don’t focus just on single application or behavior.
3. Keep history (if a specific IP was the source of suspicious behavior, pay special attention to events coming from it in the future).
4. Learn from false positives and update your correlation rules accordingly to prevent them in the future.
5. Analyze attacks and malicious behavior from the past and write a rule that will catch them in the future.

• This reply was modified 3 years ago by  imsanjid.

[Farook]

Depends on what you mean by “preferred method.” Most commercial SIEM tools use rule-based correlation: if event X happens followed by event type Y, then do something.

[Ajuz]

Correlation is the first step that requires significant forethought. Basically, the correlation engine joins log records together to provide a big picture of the events upon which you may want to focus. There are many types of correlations that can be made, and SIEM systems generally provide tools that can help administrators build correlation rules.

[haCker_gIrl]

For make it better you should follow this following steps…
1) get relevant log feeds
2) normalise all the data and clean it up but keep the raw log
3) construct a data dictionary for each type
4) apply data enrichment
5) identify values that can act as transaction keys
6) identify business rules related to the data you have