Correlation is a method that finds whether there is a relationship between two or more data and investigates the direction and effect of this relationship.
Correlation motor is the software triggering other components in order to ensure information, prevention and awareness by investigating, with the sense of cyber security, the relationship between the past and present data and the correlation output obtained with the help of previously learned relationships.
Logsign SIEM correlation approach consists of the steps below:
- Categorizing the correlations
- Pre-defined correlation rules working on the correlation motor
- Threat Intelligence Integrations
- Taking action excluding the alerts and notification
- Correlation techniques
- Scalable correlation capacity
Correlation motor automatically works with 14 categories identified as pre-defined. These are as follows:
Credential Access, Execution, File, Identity, Impact, Information Gathering, Mail, Malware, System, Threat, Threat Intelligence, Traffic, Web.
There are more than 200 pre-defined behavioral information in these categories.
Correlation rules can be classified and filtered according to specifications, behaviors, types and categories, and new rules can be formed.
Correlation motor works integrated with Threat Intelligence services.
- It is integrated with more than 35 integrated third-party Threat Intelligence service providers that collect various information such as analyses, scores, blocklists, malware, etc.
- The number of integrations increases with the newly engaged Threat Intelligence services.
When the incident is detected by one or more of the correlation rules, it is possible to create notifications as:
- Alert (E-mail & SMS)
- Alert + Automatic Action
Automatic actions enable the following processes:
- IP blocking
- Port blocking
- Limited blocking and cancellation
- Adding objects to the rule group
While writing a new correlation rule, a specific structure should be determined as the first step. Below are the steps that have importance in forming this correlation structure:
Category: Categorizing the risk
Severity: Evaluating the risk
Rule Set: Targeting the steps of whether determined objects meet certain rules under certain conditions
Action and Notification: Actions to be taken the moment when certain rules are met when the correlation is in progress
Asset: Using the rules that are integrated with entities which are pre- or to-be-determined based on the situation
We are now closer to writing a new correlation. Take a look at the correlation mechanisms in steps before starting the application. Check step by step what to pay attention to while these structures are used.
Forming a new correlation:
Preparation Step:
- Open the Alert > Alert Rules pages from Logsign WEB interface. Then click the +New Alert Rule button on the right upper corner.
Definition
- Description: Alert name
- Category: Alert category
- Severity: Alert risk evaluation
- Tags: Sharing tag
Rule Set
On the columns received from log sources (Source.IP:X.X.X.X vb.), the target is to ensure the definition of the related rule after specific columns are processed with specific steps (Rule1: Source.IP IS X.Y.X.Y). When more than one rule sets are formed, the rule is triggered when all of them are met. Meeting of the rule depends on the verification of the given information in the direction of its target. For instance, if “Source.IP IS NOT X.Y.X.Z”, it will be adequate for us when the relevant rule gives TRUE as the response even though it does not evoke something positive. However, you may want to enter the same rule for more than one objects under some conditions. In this case, we can reach our target by creating dynamically and statically inclusive lists that were developed with specific steps within the scope of Asset.
- Asset Lists
- Open the Alert > Assets and Behaviours page from Logsign WEB interface. Then click the +New List button on the right upper corner.
- Definition
- Description: Name of the list
- Type: It is used during the determination and formation of the list types of the list objects. We use the “Static” and “Statistical” parts during the correlations. If the list should be manually created, we select “Static”. Statistical is selected when the list should be formed under certain conditions following the identifications.
- Data
- It is used to identify the objects on the selected lists. The objects we will enter onto our list should be used in their Mapping form. For instance, while creating a user name list for a correlation that is triggered when the users connect the VPN outside of working hours, we use the “Statical” list if we are creating a list for the “Berkcan-İsik” user on a Log as (Source.Username: “Berkcan-İsik”) and if we only target the “Berkcan-İsik” character set. However, if this name of Berkcan is defined both on the host and the mobile log-in and if the user names are different – “Berkcan-İsik-Iphone” on the mobile and “Berkcan-İsik” on the host – and if we want to target all the log-ins of the staff named Berkcan Işık, we can make the list as “Contains” and create it under the condition of each rule included in “Berkcan-İsik”. The Modifier section under the Advance Mode will allow the target column on the received log to be re-characterized.
Action and Notification
- Action Column: Determining the column for the action to be targeted after the correlation is detected
- E-mail: E-mail notification
- SMS: SMS notification
- Security Automation: Selecting the firewall that is to take action
We obtained information about the mechanisms of the correlations. We shall consolidate our information with an example. Therefore, you will be able to read the pre-prepared correlations on Logsign SIEM and determine your own special correlations.
We shall write the Brute Force Attack Activity as an example.
- Open the Alert > Alert Rules page from Logsign WEB interface. Then click the +New Alert Rule button on the right upper corner.
- Definition: Type “Brute Force Attack Activity”. Determine our category and risk level.
- Determine our Rule Sets.
- We need to define a list at this stage. Create the list when a defined number of trials are made within a certain time period and add it to the rules.
- Open the Alert > Assets and Behaviours page from Logsign WEB interface. Then click the +New List button on the right upper corner.
- As we cannot make our list Static, we will identify it as “statistical” and allow the users who excessively make Login Failure to be added on our list by identifying certain thresholds.
- Type “Brute Force Attacker Hosts List” for the Description. Define the list type as “statistical”. Define the severity. Name those on the list as “Attacker” and “Behaviors” on the tag and indicate that the host entering this list entered a list.
- Enter @@LogonFailure, which was pre-prepared on our MiniQuery, on the Query.
- Make the grouping as Source IP. Enter 1000 as the list length. As how many times it was triggered is important for us, enter “Value Count” on the Value column for it to count. Enter 100 for Trigger (the threshold of entrance to the list after a certain number of triggering).
- Enter 360 for “Check events in last” in order for the additions to be made on this list according to the Events during the last 360 seconds. Enter 60 on the “Update Period” section for the update period.
- Ensure that the list is updated every 360 seconds with “Purge Period”. Create the asset list by clicking the Save button.
- Open the Alert > Alert Rules page from Logsign WEB interface. Then click the
- Select Brute Force Attack Activity alert rule.
- As we created our Asset list, in this example, we wanted the type of subject that entered the list as “Source.IP Behavior Brute Force Attacker Hosts List” and that we indicated on the asset to be triggered for all IPs on this list when all the rule conditions of the correlation are met according to their IPs.