Correlation is a method that finds whether there is a relationship between two or more data and investigates the direction and effect of this relationship.
Correlation motor is a software triggering other components in order to ensure, prevention and awareness by investigating, the relationship between the past and present data and the correlation output obtained with the help of previously learned relationships with the sense of cyber security.
Logsign Unified SecOps Platform Overview correlation approach consists of the steps below:
- Categorizing the correlations
- Pre-defined correlation rules working on the correlation motor
- Threat Intelligence integrations
- Taking action excluding the alerts and notification
- Correlation techniques
- Scalable correlation capacity
Correlation motor automatically works with 14 categories identified as pre-defined. These are as follows:
Credential Access, Execution, File, Identity, Impact, Information Gathering, Mail, Malware, System, Threat, Threat Intelligence, Traffic, Web.
There are more than 200 pre-defined behavioral information in these categories.
Correlation rules can be classified and filtered according to specifications, behaviors, types and categories, and new rules can be formed.
Correlation motor works integrated with Threat Intelligence services.
- It is integrated with more than 45 integrated third-party Threat Intelligence service providers that collect various information such as analyses, scores, blocklists, malware, etc.
- The number of integrations increases with the newly engaged Threat Intelligence services.
When the incident is detected by one or more correlation rules, it is possible to create notifications as:
- Alert (E-mail & SMS)
- Alert + Automatic Action
Automatic actions enable the following processes:
- IP blocking
- Port blocking
- Limited blocking and cancellation
- Adding objects to the rule group
While writing a new correlation rule, a specific structure should be determined as the first step. Below are the steps that have importance in forming this correlation structure:
Category: Categorizing the risk
Severity: Evaluating the risk
Rule Set: Targeting the steps of whether determined objects meet certain rules under certain conditions
Action and Notification: Actions to be taken the moment when certain rules are met when the correlation is in progress
Asset: Using the rules that are integrated with entities which are pre- or to-be-determined based on the situation
You are now closer to writing a new correlation. Take a look at the correlation mechanisms in steps before starting the application. Check step by step what to pay attention to while these structures are used.
Forming a new correlation:
Preparation Step:
- Open the Settings -> Incidents and Alerts -> Alert Rules pages from Logsign WEB interface. Then click the + Alert Rule button on the right upper corner.
Definition
- Description: Alert name
- Category: Alert category
- Severity: Alert risk evaluation
- Tags: Sharing tag
Rule Set
On the columns received from log sources (Source.IP:X.X.X.X vb.), the target is to ensure the definition of the related rule after specific columns are processed with specific steps (Rule1: Source.IP IS X.Y.X.Y). When more than one rule sets are formed, the rule is triggered when all of them are met. Validation of the rule depends on the verification of the given information in the direction of its target. For instance, if you input “Source.IP IS NOT X.Y.X.Z” as a rule, it will be adequate for us when the relevant rule gives TRUE as the response even though it does not evoke something positive. However, you may want to enter the same rule for more than one objects under some conditions. In this case, you can reach your target by creating dynamically and statically inclusive lists that were developed with specific steps within the scope of Asset.
- Asset Lists
- Open the Settings -> Incidents and Alerts -> Behaviours and Lists page from Logsign WEB interface. Then click the + List button on the right upper corner.
- Definition
- Description: Name of the list
- Type: It is used during the determination and formation of the list types of the list objects. You use the “Static” and “Statistical” parts during the correlations. If the list should be manually created, we select “Static”. Statistical is selected when the list should be formed under certain conditions following the identifications.
- Data
- It is used to identify the objects on the selected lists. That objects you will enter onto your list should be used in their Mapping form. For instance, while creating a user name list for a correlation that is triggered when the users connect the VPN outside of working hours, you use the “Statical” list if we are creating a list for the “David-Bellingham” user on a Log as (Source.Username: “David-Bellingham”) and if you only target the “David-Bellingham” character set. However, if this name of David is defined both on the host and the mobile log-in and if the user names are different – “David-Bellingham-Iphone” on the mobile and “David-Bellingham” on the host – and if you want to target all the log-ins of the staff named David Bellingham, you can make the list as “Contains” and create it under the condition of each rule included in “David-Bellingham”. The Modifier section under the Advance Mode will allow the target column on the received log to be re-characterized.
Action and Notification
- Action Column: Determining the column for the action to be targeted after the correlation is detected
- E-mail: E-mail notification
- SMS: SMS notification
- Security Automation: Selecting the firewall that is to take action
You obtained information about the mechanisms of the correlations. You shall consolidate information with an example. Therefore, you will be able to read the pre-prepared correlations on Logsign Unified SecOps Platform Overview and determine your own special correlations.
You may write the Brute Force Attack Activity as an example.
- Open the Settings -> Incidents and Alerts -> Alert Rules page from Logsign WEB interface. Then click the + Alert Rule button on the right upper corner.
- Definition: Type “Brute Force Attack Activity”. Determine our category and risk level.
- Determine our Rule Sets.
- You need to define a list at this stage. Create the list when a defined number of trials are made within a certain time period and add it to the rules.
- Open the Settings -> Incidents and Alerts -> Behaviours and Lists page from Logsign WEB interface. Then click the + List button on the right upper corner.
- As you cannot make your list Static, you will identify it as “statistical” and allow the users who excessively make Login Failure to be added on your list by identifying certain thresholds.
- Type “Brute Force Attacker Hosts List” for the Description. Define the list type as “statistical”. Define the severity.
- Enter @@LogonFailure, which was pre-prepared on your MiniQuery, on the Query.
- Make the grouping as Source IP. Enter 1000 as the list length. As how many times it was triggered is important for you, enter “Value Count” on the Value column to count. Enter 100 for Trigger (the threshold of entrance to the list after a certain number of triggering).
- Enter 360 for “Check events in last” in order to check the additions to be made on this list according to the Events during the last 360 seconds.
- Open the Settings -> Incidents and Alerts -> Alert Rules page from Logsign WEB interface. Then click the Brute Force Attack Activity alert rule.