A customer has installed SIEM 9.4 (combo box ESM/ELM/RCV) and has integrated initially 2 devices: NGFW infrastructure (SMC/Stonesoft) and Arbor Pravail APS.
So, as part of the correlated events (Incidents dashboard) there is an event generated from the NGFW called:
Attack - Network DoS Activity Detected that is originated from 2 source events:
If I see the Arbor events, effectively I see many events classified according to the Pravail taxonomy:
1) Invalid Packets
2) TCP connection resets
3) TCP SYN Flood detection
4) Block Malformed DNS Traffic
5) Malformed HTTP Filtering
Q: What would be the best way to "try" to correlated that the events generated from the FW corresponds to the same event in the Arbor device?