How SIEM Correlation Rules Work

February 20, 2018  |  Kim Crawley

SIEM is a powerful security tool when deployed properly. Network security appliances like IDS devices, IPS devices, and firewalls generate an awful lot of logs. A well-configured SIEM will alert security administrators to which events and trends they should pay attention to. Otherwise they’ll be too lost in event log noise to be able to effectively handle possible security threats to their network.

One of the key components that a functioning SIEM requires is good and sensible SIEM correlation rules. Let’s learn how SIEM correlation rules work! It’s actually pretty simple and easy to understand.

What is a correlation rule?

The various appliances in your network should be constantly generating event logs that are fed into your SIEM system. A SIEM correlation rule tells your SIEM system which sequences of events could be indicative of anomalies which may suggest security weaknesses or cyber attack. When “x” and “y” or “x” and “y” plus “z” happens, your administrators should be notified.

Here are some examples of SIEM correlation rules which illustrate this concept.

  • Detect new DHCP servers in your network by watching for inside or outside connections which use UDP packets (“x”), have port 67 as the destination (“y”), and the destination IP address isn’t on the registered IP list (“z”).
  • Warn administrators if five failed login attempts are tried with different usernames from the same IP to the same machine within fifteen minutes (“x”), if that event is followed by a successful login occuring from that same IP address to any machine inside the network (“y”).

The first example could indicate a cyber attacker establishing a DHCP server to acquire malicious access to your network. Any authorized DHCP server would use one of your registered IP addresses!

The second example could indicate a cyber attacker brute-forcing an authentication vector and then successfully acquiring authentication to your network. It could be a possible privilege escalation attack.

Both SIEM correlation rules could be triggered by honest mistakes and simple user errors or technical glitches. But they’re also key indicators of cyber attack and security administrators should check them out right away!

SIEM correlation in a nutshell

Your SIEM will analyze a whole lot of event logs which record endless seemingly mundane activities. They will look mundane to a human being if they just keep reading a list of thousands of events.

Connection established from some IP address and some TCP/IP port to another IP address and TCP/IP port! Some user changed their username on Tuesday and their password on Thursday! Some client machine downloaded 500MB and uploaded 200MB of network traffic one day, then downloaded 3.5GB and uploaded 750MB of network traffic the next day!

Properly designed SIEM correlation rules cut through all of the blah, blah, blah of your network event logs to detect which sequences of events are likely indications of cyber attack. So you should take great care in developing your SIEM correlation rules. SIEM is driven by computers and computers will just execute any instructions you give them. You as the clever human being with an organic brain should come up with practical SIEM correlation rules so your SIEM system can wake you up when there’s a possible cyber attack you should pay attention to.

Award Winning SIEM

Threat detection, incident response, and compliance management in one, unified solution.

Learn more

What is normalization in SIEM?

Various different software, hardware, and networking component vendors use their own event log formats. An event log will have different information fields. A SIEM system will do its best to read the various event log formats in order to make sense of them. If you make Excel spreadsheets, imagine all of the different ways someone could decide what the fields should be in order to organize the same data. Should IP addresses be recorded in column A or column D? Should the IP address column be labeled “IP,” “IP Address,” “IP Addresses,” “Gateway IPs,” or “public IPs?” Should UDP ports get one column and TCP ports get a different column, or should all UDP and TCP ports be in the same column?

Event log normalization is an effort to change event log formats from different vendors and network components so they’re as universal as possible within your network. Obviously, an antivirus event log will look very different from a firewall event log. But if your network has firewalls from more than one vendor, it may be possible to make their event logs the same format.

Event log normalization can make your SIEM and its SIEM correlation rules execute a lot more efficiently. If you can improve event log normalization, your SIEM will be less likely to make mistakes or miss events that a security administrator should be concerned about.

SIEM correlation rule challenges

SIEM correlation rules can generate false positives just like any sort of event monitoring algorithm. Too many false positives can lead to your security administrators wasting their efforts which could be applied to responding to actual threats and attacks. It’s impossible to have zero false positives in a properly working SIEM. When configuring your SIEM correlation rules, you need to strike a balance between reducing false positive alerts and not missing any possible anomalies which could indicate cyber attack.

Some out-of-the-box SIEM correlation rules might not be applicable to your specific network. Deciding which pre-configured rules to disable and which rules should be written from scratch are another challenge.

Improperly filtered SIEM rules can make slow execution time-consuming to your SIEM system. Administrators need to filter the application of rules to determine which data is relevant and which data is irrelevant in your event pipeline.

Another factor is that not all SIEMs are alike. Some have threat intelligence built into the out-of-the-box correlation rules, making them far more valuable.

Share this with others

Get price Free trial