The goal of a correlation analysis is to see whether two measurement variables co vary, and to quantify the strength of the relationship between the variables.
Correlation is important to make sense out of all that information in the system. Correlation to the rescue and increase evidence of the event and the business impact and the event a false positiveness.
Correlation process
Features Correlation rules can nest any level AND condition: branch another level OR condition: insert a new rule on same level
Risk Formula
Risk=(priority*reliability*Asset)/25
Correlation rules
Features Correlation rules can nest any level
- AND condition: branch another level
- OR condition: insert a new rule on same level
Threat detection use case
- Correlate firewall events to detect common DoS and DDoS attacks
- Prebuilt AlienVault correlation directives cover a lot of those already
- Modify for your environment
- Build Security Intelligence
Eg:
Successful SSH login to VIP host Service going down on host Correlation rule will generate an alert.
Alarms
- Reduce false positive alarms
As you collect more events from different external systems, you may run into a scenario that is causing the USM Server to generate more alarms than you want. You can use policies to filter the events to reduce the number of alarms that are created.
- Sending an email notification
You can create a policy to automatically trigger an email to administrators or others whenever a high-risk alarm occurs.
- Temporarily hiding true positive alarms
Occasionally, you may need to temporarily disable alarms based on a particular set of events. This makes sense when you want to reduce excessive noise until you have had time to analyze and take corrective or preventative actions.
- Increasing the importance of a specific event
Sometimes you might want to closely monitor a specific IP address or a specific port. You can use policies to generate an alarm whenever events occur that include the IP address or that port without writing a correlation rule.
No comments:
Post a Comment