SIEM Foundations: Basic Correlation Rule Tuning

Version 4

    Many correlation rules include embedded parameters that can be easily customized by the end user to tune the operation of the rule.  To edit parameters for a correlation rule, find the rule in the Policy Editor, and select Edit/Modify Parameters.


    One common set of rules to tune is the set named “Policy - Off-hours Events…”  These correlation rules identify anomalous activities outside of standard working times, and leverage parameters to identify working hours.  Consider modifying the time parameter in each of these rules (“WorkingHours”) to meet your needs.



    Off-hours Correlation Rules


    Keep in mind that the WorkingHours parameters are defined in GMT time zone; you will need to convert your working time to GMT in order for these variables to be effective.  Default values for WorkingHours parameters are 12:30 – 22:00.  This is equivalent to 7:30 – 17:00 in the US Eastern Standard Time zone.



    « previousoutlinenext »