Today many SIEM systems on an everyday basis process millions of events gathered from numerous sources. According to statistics a team of 100 people can generate more than 3000 logs in Active Directory, and one (!) operating in normal mode VMware can generate up to 4 million events a day. In order to reveal really important incidents in the overall flow, SIEM class solutions provide cross-correlation functionality. The idea is that the solution compares events from different sources, which all together indicate a threat. Usually, it requires programming skills to configure cross-correlation. Sometimes, vendors deal with the task, however, most often, a customer has to deal with the task on his/her own. SearchInform SIEM significantly eases the process: such rules may be created with just a few clicks. Below we’ll reveal how it works.

How does the cross-correlation work?

Let’s imagine the following situation: SIEM system has detected an attempt to login AD and an incorrect password was used. 

There are two possible scenarios: it may be an ordinary event (a user makes a mistake when inputting credentials), but this may also indicate a major incident – theft of account. In order to find out whether the situation poses a risk or not, it’s required to examine the context and find out, what other events happened in the system that time and whether they were corresponding with the initial one. At this stage exactly the cross-correlation is required: it detects an incident, even if events from different sources, analyzed separately, don’t look suspicious.

To create a cross correlation rule, it is usually required to specify attributes of these events in the programming language as transmitted by the source, specify engine and rules of their correlation. In the SIEM solution by SearchInform this task is automated – we’ve developed the master in a graphic interface where the rule can be configured just like in a constructor.

Rules are configured in three steps:

1.  Choose the required parameters from the lists proposed:
•    Sources (connectors)
•    Events (identifiers)
•    Attributes.

You can specify up to three connectors and types of events for them. Additionally you can configure analysis basing on user and his/her role, device, IP-address and other attributes.

2.  Specify the common parameters. For instance, notifications on events should come from one PC or one account. The following logical operators are used:
•    “AND” in case obligatory coincidence of events is considered as an incident
•    “NOT”, then a case, when an event doesn’t happen after the  specific event is considered to be an incident (in a typical situation, one event follows another event).

3.  Set the time framework: events will be considered as interrelated if they happen one after another within specific period of time (up to 6 hours).

Thus, the service works basing on the principle “event 1 AND event 2 = alert” or “event 1 NOT event 2 = alert”. If all the conditions specified are met, an IS-officer receives a notification on the incident. The mode and method of notifications can be configured for each rule separately. Notifications may be received in digests via email or Telegram.

The SearchInform SIEM cross-correlation service supports all connectors available in the system, this number exceeds 30.

Outcomes. 

Cross-correlation helps an IS officer to detect an incident in the large flow of events. What’s more, it reduces the number of false positives. The more precise the combination and sequence of parameters is specified, the higher the SIEM solution’s efficiency is. 

The main advantage of SearchInform SIEM cross-correlation rules constructor is its simplicity. You can easily configure the process of complicated incidents’ monitoring. No specific advanced knowledge, as well as no extra time expenditures are required. The SIEM by SearchInform works out-of-the-box and instantly provides a customer with the result.

You can also request a free 30-day SIEM trial.