4 Replies Latest reply on May 12, 2015 9:03 PM by andy777

    Correlation rules


      Hi folks,


      I am working on developing use cases for newly built SOC.

      if any one can share possible use cases, normal and cross device correlation rules.


      Any help would be appreciated.



        • 1. Re: Correlation rules
          Peter M

          Moved to Business > Event Management (SIEM) for support purposes.




          • 2. Re: Correlation rules

            What data sources are you getting events from?

            Any plans for more data sources to be added to SIEM?

            • 3. Re: Correlation rules



              We have windos servers, firewalls, NIPS, HIPS, Arbor, PIM, Web servers, WIFI devices etc.

              As of now no plan to integrate more devices.



              • 4. Re: Correlation rules

                Very briefly, I'll give you an idea of how I work with folks to help them develop correlation rules. The first is to realize that the SIEM is a part of a larger process. The steps we worked through to develop this process are:


                1. Identified the first goal: what are we protecting?

                     - Examples:

                          -Systems with sensitive data

                          -Systems responsible for operational posture

                          -Systems that must be available

                          -General assets

                2. What are the risks against these systems?

                     - Examples:


                          -Denial of service

                          -Malicious uses



                     - We just made our "threat model".

                3. How are these risks mitigated?

                     - Examples:




                          -Targeted DLP


                     - Just built a "Security posture".

                4. Now we add a SIEM that includes different correlation methods.

                     - Over 200 out of the box correlation rules

                     - Create custom correlation rules that alert directly on all of the threats that you identified and mitigated in the steps above.

                     - Many correlation rules will never fire due to mitigations. They are in place to alarm when things don't go as expected.

                     -Beyond that, use anomaly baselines, risk-based correlation and heavy use of automated threat feeds to focus on the relevant threats.


                Hope this helps.