Logs from correlation

  • Logs from correlation

  • basilthiras

    Member
    April 25, 2021 at 11:45 am

    What is the best way for SIEM products to Correlate data from logs ?

    • This discussion was modified 1 year, 3 months ago by  basilthiras.
    • This discussion was modified 1 year, 3 months ago by  basilthiras.
  • imsanjid

    Organizer
    April 25, 2021 at 11:54 am

    1. Normalize data between different cloud applications, unified events are super important.
    2. Examine system wide events, don’t focus just on single application or behavior.
    3. Keep history (if a specific IP was the source of suspicious behavior, pay special attention to events coming from it in the future).
    4. Learn from false positives and update your correlation rules accordingly to prevent them in the future.
    5. Analyze attacks and malicious behavior from the past and write a rule that will catch them in the future.

    • This reply was modified 1 year, 3 months ago by  imsanjid.
    • Farook

      Member
      April 25, 2021 at 3:02 pm

      Depends on what you mean by “preferred method.” Most commercial SIEM tools use rule-based correlation: if event X happens followed by event type Y, then do something.

  • Ajuz

    Member
    April 25, 2021 at 10:41 pm

    Correlation is the first step that requires significant forethought. Basically, the correlation engine joins log records together to provide a big picture of the events upon which you may want to focus. There are many types of correlations that can be made, and SIEM systems generally provide tools that can help administrators build correlation rules.

  • haCker_gIrl

    Member
    April 25, 2021 at 10:47 pm

    For make it better you should follow this following steps…
    1) get relevant log feeds
    2) normalise all the data and clean it up but keep the raw log
    3) construct a data dictionary for each type
    4) apply data enrichment
    5) identify values that can act as transaction keys
    6) identify business rules related to the data you have