AlienVault, profile picture
Uploaded byAlienVault
15,544 views

Creating Correlation Rules in AlienVault

This document discusses correlation in security monitoring. Correlation involves relating different security-related events together to produce more useful information and detect threats. It works by applying correlation rules to incoming events to increase their priority and risk level if they match specified criteria. This helps reduce noise and manual monitoring while automating security. Complex correlation allows matching events across multiple levels and timeframes. Correlation directives can be used to detect common attacks and map events to compliance objectives.

Technology
Related topics:
Information Security

Embed presentation

AlienVault Correlation Alexander Goller Solution Architect
Why do we need correlation? Or how to make sense out of all that information.
What do we see in our daily business? Too much data, not enough information
Noise Events with no (obvious) meaning
Correlation to the rescue What correlation does for us Increase evidence Does the event have business impact? Is the event dangerous? Is the event a false positive?
Correlation to the rescue What correlation does for us Security automation Relate data together to produce information Get rid of manual monitoring of logs Find well-known threats in the millions of events you are receiving
How correlation works An insight to the AlienVault correlation engine
Correlation explained A simple use case Correlation rule will Matches correlation raise priority and criteria (e.g. reliability of the Increased risk will Incoming event Destination belongs event as specified in create an alert to our VIP server the correlation zone) directive
Features Correlation rules can nest any level AND condition: branch another level OR condition: insert a new rule on same level
Examples Somebody does a config change to an internal asset Give more meaning to authentications to a very important host or zone of your network Give an event a more meaningful signature Map event to PCI/ISO objectives to get rapid reports on compliance
Correlation explained Sample complex use cases Incoming events Alert reinserted into event queue One failed ssh login to VIP host 3 failed logins in the next 60 seconds 3 more failed logins in the next 5 minutes Correlation rule will generate an alert
Threat detetion examples Correlate firewall events to detect common DoS and DDoS attacks Prebuilt AlienVault correlation directives cover a lot of those already Modify for your environment Build Security Intelligence
Correlation explained Complex use case with mixed events Alert reinserted Incoming events into event queue Succesful SSH login to VIP host Service going down on host Correlation rule will generate an alert
Threat detetion examples Correlate firewall events to detect common DoS and DDoS attacks Prebuilt AlienVault correlation directives cover a lot of those already Modify for your environment Build Security Intelligence
Correlation directives
Top level Directive name e.g. „Login to DMZ host from outside“ Priority Value of 0-5 stating the initial importance of the event Rule ID Correlation editor automatically creates one CLI editing requires you to choose a unique ID
Editor only: Start adding a directive Top level directive Name Priority
First level Every event received can activate directives Firewall permits Logins Oracle audit events No limits Limitations Only one event will activate a directive Only events from detector plugins allowed No timeout required
Editor only: Create first level rule Create rule, explain dialogs Save directive Restart server
Deeper correlation levels Any number of events within a specified timeout Match on any attribute from previous rules Event must have same source IP Event must have same destination IP Event must have same event type as on previous levels
Editor only: Create deeper rules for sample complex use case.
What‘s next? How to deal with alerts from the correlation engine
What‘s next Generated event has a risk > 1 automatically becomes alert Use Policies & Actions Email notification Custom user script Open a internal ticket Map to compliance objectives PCI: e.g. Access to a PCI host from the internet ISO: monitor firewall changes
Want more? Attend OSSIM Made Simple
Open Source. Open Tools. Open Minds.

More Related Content

PPTX
Wireless network security
byShahid Beheshti University
 
PPT
Next generation firewall(ngfw)feature and benefits
byAnthony Daniel
 
PPTX
Man in The Middle Attack
byDeepak Upadhyay
 
PPTX
Software Defined Network - SDN
byVenkata Naga Ravi
 
PDF
OSI MODEL
bySoumo Dhali
 
PPT
Wsn in iot updated
byskumartarget
 
PPTX
Firewall and Types of firewall
byCoder Tech
 
PPTX
Port forwarding
byRonak Mehta
 
Wireless network security
byShahid Beheshti University
 
Next generation firewall(ngfw)feature and benefits
byAnthony Daniel
 
Man in The Middle Attack
byDeepak Upadhyay
 
Software Defined Network - SDN
byVenkata Naga Ravi
 
OSI MODEL
bySoumo Dhali
 
Wsn in iot updated
byskumartarget
 
Firewall and Types of firewall
byCoder Tech
 
Port forwarding
byRonak Mehta
 

What's hot

PPTX
Packet sniffing
byShyama Bhuvanendran
 
PPT
firewall.ppt
byssuser530a07
 
PPTX
IOT - Design Principles of Connected Devices
byDevyani Vasistha
 
PPT
SSL & TLS Architecture short
byAvirot Mitamura
 
PPTX
IoT Cloud architecture
byMachinePulse
 
PDF
Web Security
byDr.Florence Dayana
 
PDF
Kali linux tutorial
byHarikaReddy115
 
PPTX
Traditional Firewall vs. Next Generation Firewall
by美兰 曾
 
PPT
Firewall Architecture
byYovan Chandel
 
PPTX
Honeypots
bySARANYA S
 
PDF
Wireshark Traffic Analysis
byDavid Sweigert
 
PPT
Proxy Servers
bySourav Roy
 
PPTX
Deep Packet Inspection technology evolution
byDaniel Vinyar
 
PPTX
DDOS ATTACK - MIRAI BOTNET
bySukhdeep Singh Sandhu
 
PPTX
Storage Area Network(SAN)
byKrishna Kahar
 
PPTX
cluster computing
byanjalibhandari11011995
 
PPTX
firewall and its types
byMohammed Maajidh
 
PPTX
Network Security Nmap N Nessus
byUtkarsh Verma
 
PPTX
Network Management System and Protocol
byHamdamboy (함담보이)
 
PPTX
Client server model
byGd Goenka University
 
Packet sniffing
byShyama Bhuvanendran
 
firewall.ppt
byssuser530a07
 
IOT - Design Principles of Connected Devices
byDevyani Vasistha
 
SSL & TLS Architecture short
byAvirot Mitamura
 
IoT Cloud architecture
byMachinePulse
 
Web Security
byDr.Florence Dayana
 
Kali linux tutorial
byHarikaReddy115
 
Traditional Firewall vs. Next Generation Firewall
by美兰 曾
 
Firewall Architecture
byYovan Chandel
 
Honeypots
bySARANYA S
 
Wireshark Traffic Analysis
byDavid Sweigert
 
Proxy Servers
bySourav Roy
 
Deep Packet Inspection technology evolution
byDaniel Vinyar
 
DDOS ATTACK - MIRAI BOTNET
bySukhdeep Singh Sandhu
 
Storage Area Network(SAN)
byKrishna Kahar
 
cluster computing
byanjalibhandari11011995
 
firewall and its types
byMohammed Maajidh
 
Network Security Nmap N Nessus
byUtkarsh Verma
 
Network Management System and Protocol
byHamdamboy (함담보이)
 
Client server model
byGd Goenka University
 

Similar to Creating Correlation Rules in AlienVault

PPTX
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
PPT
Anton Chuvakin on Security Data Centralization
byAnton Chuvakin
 
PPTX
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
byReZa AdineH
 
DOC
Security Event Analysis Through Correlation
byAnton Chuvakin
 
PPTX
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
PDF
IDS - Fact, Challenges and Future
byamiable_indian
 
PDF
Log correlation SIEM rule examples and correlation engine performance data
byErtugrul Akbas
 
PDF
Using indicators to deal with security attacks
byZoho Corporation
 
PPT
RSA 2006 - Visual Security Event Analysis
byRaffael Marty
 
PDF
All your logs are belong to you!
bySecurity BSides London
 
PDF
Cybersecurity with AI - Ashrith Barthur
bySri Ambati
 
DOCX
Context Driven Scalable SIEM Solution
byErtugrul Akbas
 
PPT
Using Event Processing to Enable Enterprise Security
byTim Bass
 
PPT
The “Predictive” Battlespace: Leveraging the Power of Event-Driven Architect...
byNathaniel Palmer
 
PPT
Adding Rules to Improve Flexibility and Effectively Manage Complex Events
byTim Bass
 
PDF
2005 issa journal-simsevaluation
byasundaram1
 
PDF
Integrating Cyber Security Alerts into the Operator Display
byEnergySec
 
PDF
InfoSecurity.be 2011
byXavier Mertens
 
PDF
All Your Security Events Are Belong to ... You!
byXavier Mertens
 
PDF
On the Use of Different Statistical Tests for Alert Correlation -- Short Paper
bycloudly
 
Improve Security Visibility with AlienVault USM Correlation Directives
byAlienVault
 
Anton Chuvakin on Security Data Centralization
byAnton Chuvakin
 
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
byReZa AdineH
 
Security Event Analysis Through Correlation
byAnton Chuvakin
 
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
IDS - Fact, Challenges and Future
byamiable_indian
 
Log correlation SIEM rule examples and correlation engine performance data
byErtugrul Akbas
 
Using indicators to deal with security attacks
byZoho Corporation
 
RSA 2006 - Visual Security Event Analysis
byRaffael Marty
 
All your logs are belong to you!
bySecurity BSides London
 
Cybersecurity with AI - Ashrith Barthur
bySri Ambati
 
Context Driven Scalable SIEM Solution
byErtugrul Akbas
 
Using Event Processing to Enable Enterprise Security
byTim Bass
 
The “Predictive” Battlespace: Leveraging the Power of Event-Driven Architect...
byNathaniel Palmer
 
Adding Rules to Improve Flexibility and Effectively Manage Complex Events
byTim Bass
 
2005 issa journal-simsevaluation
byasundaram1
 
Integrating Cyber Security Alerts into the Operator Display
byEnergySec
 
InfoSecurity.be 2011
byXavier Mertens
 
All Your Security Events Are Belong to ... You!
byXavier Mertens
 
On the Use of Different Statistical Tests for Alert Correlation -- Short Paper
bycloudly
 

More from AlienVault

PPTX
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
PDF
Insider Threat Detection Recommendations
byAlienVault
 
PDF
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
PDF
Security operations center 5 security controls
byAlienVault
 
PDF
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
PDF
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
PPTX
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
PPTX
Improve threat detection with hids and alien vault usm
byAlienVault
 
PPTX
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
PPTX
Alienvault threat alerts in spiceworks
byAlienVault
 
PPTX
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
PPTX
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
PPTX
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
PPTX
How Malware Works
byAlienVault
 
PPTX
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
PPTX
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
PPTX
Incident response live demo slides final
byAlienVault
 
PDF
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
PDF
Malware Invaders - Is Your OS at Risk?
byAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
byAlienVault
 
Insider Threat Detection Recommendations
byAlienVault
 
Open Source IDS Tools: A Beginner's Guide
byAlienVault
 
Security operations center 5 security controls
byAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
byAlienVault
 
PCI DSS Implementation: A Five Step Guide
byAlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
byAlienVault
 
Improve threat detection with hids and alien vault usm
byAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
byAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
byAlienVault
 
Alienvault threat alerts in spiceworks
byAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
byAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
byAlienVault
 
Malware detection how to spot infections early with alien vault usm
byAlienVault
 
How Malware Works
byAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
byAlienVault
 
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
byAlienVault
 
Incident response live demo slides final
byAlienVault
 
The State of Incident Response - INFOGRAPHIC
byAlienVault
 
Malware Invaders - Is Your OS at Risk?
byAlienVault
 

Recently uploaded

PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Upskill to Agentic Automation - Accelerating Your Job Search using AI
byDianaGray10
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 

Creating Correlation Rules in AlienVault

  • 1.
    AlienVault Correlation Alexander Goller Solution Architect
  • 2.
    Why do weneed correlation? Or how to make sense out of all that information.
  • 3.
    What do wesee in our daily business? Too much data, not enough information
  • 4.
    Noise Events with no(obvious) meaning
  • 5.
    Correlation to therescue What correlation does for us Increase evidence Does the event have business impact? Is the event dangerous? Is the event a false positive?
  • 6.
    Correlation to therescue What correlation does for us Security automation Relate data together to produce information Get rid of manual monitoring of logs Find well-known threats in the millions of events you are receiving
  • 7.
    How correlation works Aninsight to the AlienVault correlation engine
  • 8.
    Correlation explained A simple use case Correlation rule will Matches correlation raise priority and criteria (e.g. reliability of the Increased risk will Incoming event Destination belongs event as specified in create an alert to our VIP server the correlation zone) directive
  • 9.
    Features Correlation rulescan nest any level AND condition: branch another level OR condition: insert a new rule on same level
  • 10.
    Examples Somebody doesa config change to an internal asset Give more meaning to authentications to a very important host or zone of your network Give an event a more meaningful signature Map event to PCI/ISO objectives to get rapid reports on compliance
  • 11.
    Correlation explained Sample complexuse cases Incoming events Alert reinserted into event queue One failed ssh login to VIP host 3 failed logins in the next 60 seconds 3 more failed logins in the next 5 minutes Correlation rule will generate an alert
  • 12.
    Threat detetion examples Correlate firewall events to detect common DoS and DDoS attacks Prebuilt AlienVault correlation directives cover a lot of those already Modify for your environment Build Security Intelligence
  • 13.
    Correlation explained Complex usecase with mixed events Alert reinserted Incoming events into event queue Succesful SSH login to VIP host Service going down on host Correlation rule will generate an alert
  • 14.
    Threat detetion examples Correlate firewall events to detect common DoS and DDoS attacks Prebuilt AlienVault correlation directives cover a lot of those already Modify for your environment Build Security Intelligence
  • 15.
  • 16.
    Top level Directive name e.g. „Login to DMZ host from outside“ Priority Value of 0-5 stating the initial importance of the event Rule ID Correlation editor automatically creates one CLI editing requires you to choose a unique ID
  • 17.
    Editor only: Startadding a directive Top level directive Name Priority
  • 18.
    First level Every event received can activate directives Firewall permits Logins Oracle audit events No limits Limitations Only one event will activate a directive Only events from detector plugins allowed No timeout required
  • 19.
    Editor only: Createfirst level rule Create rule, explain dialogs Save directive Restart server
  • 20.
    Deeper correlation levels Any number of events within a specified timeout Match on any attribute from previous rules Event must have same source IP Event must have same destination IP Event must have same event type as on previous levels
  • 21.
    Editor only: Create deeper rules for sample complex use case.
  • 22.
    What‘s next? How todeal with alerts from the correlation engine
  • 23.
    What‘s next Generated event has a risk > 1 automatically becomes alert Use Policies & Actions Email notification Custom user script Open a internal ticket Map to compliance objectives PCI: e.g. Access to a PCI host from the internet ISO: monitor firewall changes
  • 24.
  • 25.
    Open Source. OpenTools. Open Minds.

Editor's Notes

  • #20 Create rule, explain dialogsSave directiveRestart server