Correlation is a technique used to interpret various incidents and to detect a few activities that have importance within this huge information. It is the structure in which the incident warnings become fewer as the activity relation increases, and more target-oriented relations are identified. It correlates the detected incident groups and define them in what way and at what level they are affected.
Logsign SIEM functions in detecting the correlation library, as well as the complex incidents and the behavior models listed according to the categories below.
Logical Correlation is the correlation and interpretation of incidents that seem independent from one another.
Cross Correlation is the correlation and interpretation of incidents with security gaps.
Inventory Correlation is the correlation and interpretation of incidents with operating systems.
You can view the correlation types below supported by Logsign SIEM.
Event Correlation
It is a correlation model whose result does not depend on a statistical data. The fact that we included the “Security Use Case” content while determining the rule set allows us to identify more specific
Security Use Cases:
- Network Sessions & Flows
- Identity
- IDS/IPS
- Vulnerability
- EndpointSecurity
- Application
- Services: TI , GeoIP
Statistical Correlation
Statistical correlation uses special numerical algorithms to calculate the threat level revealed by the security incidents on various IT entities. When the customary data density reaches a level beyond standards, the mechanism creating the alerts is activated.
- Creation of many IDS alerts
- Detection on many viruses
- Traffic from many hosts to one host
Rule Based Correlation
Rules based correlation uses the data of an incident which occurred or created alerts. For instance, for an attack to be detected, previous attacks may be required to be monitored. It is the coding of the scenario as “if it is, then some actions must be taken”. Statistical lists make relational evaluations through the standard data and draws relational conclusions through the rule-based correlation data.
Threat Based Correlation
What we call threat could be the vulnerability and malware. This information is received from the vulnerability applications, and the “endpoint” and “threat intelligence” systems. While correlating the data, the relevant Logsign SIEM user is not required to know about all the attack vectors and vulnerabilities. The user only needs to know which context to use. Collecting the threats received from various systems thanks to this information under one or more “contexts” allows for an effective use.
Malware & Botnet Infection Correlation (TI supported)
Relational rules could be written with other context data by allowing the log to be enriched via TI services, by forming relations according to the data included in the security data, and by collecting data about detecting the possible external threats in our structure.
Historical Correlation
Repetitive attack models, as well as the automatic and slow attacks that might have been covered during millions of security incidents can be detected with historical correlation. It allows the malicious incidents that were not previously known to be rapidly detected. Thanks to its feature that allows for the investigation of previous incidents, the analysts are positioned better for the real-time detection of future zero-day attacks.
Product Based Correlation
We are allowed to achieve product-independent results as the advantages of taxonomy and normalization and similar events are evaluated in the same product-independent category.
For instance, when we write a rule based on a successful log-in, it allows for a correlation that can work with other relational rules without taking the type of the product into consideration.
Multi Correlation
The parts explained up until here represent correlation each. When we specifically want to detect the attacker in real terms, for instance:
- When someone tries to log in from a different country with the same shared user,
- When someone tries to access from an untrusted foreign country,
- When one of the IPs trying to access makes Port Scanner to the internal network,
- When these accessing IPs are detected by the TI services.
When we create an alert from these incidents, we most probably detect the real attacker. This is the structure that is supplied with the combination of contexts which includes many correlations, in other words, its equal in Logsign SIEM infrastructure - “Asset&Behaviors”.