[logs] Correlation Rules - BEST PRACTICES
Raffael Marty
rmarty at arcsight.com
Fri Jun 1 11:19:25 PDT 2007
Bernard,
> I need create a list of correlation rules that isn't native in the sec tool to my environment.
You need to define what you want to get out of the system. What are your
use-cases. Based on those you build correlation rules. There is no way
to just build rules. I could come up with hundreds that you can build,
but your use-cases and data feeds determine what you should be building
in your environment.
> What you have seen as best practices about creation of correlation rules user-defined? What are the best examples?
Again, what we do is building the based on use-cases. You could have
your own controls that you want to enforce, auditors to satisfy,
scenarios to detect, policies to monitor, etc. It all depends.
> Other example: Log Integration between firewall x ids ...
Again, define your use-cases and make sure you have the data feeds
needed for all those use-cases. Then you also need to take into account
the capabilities of your correlation tool. Not all of the tools give you
the same flexibility and methods of doing correlation. You might want to
use statistical correlation in conjunction with rule-based correlation,
etc.
Cheers
-raffy
--
Raffael Marty, GCIA, CISSP raffael.marty at arcsight.com
Manager Strategic Application Solutions
ArcSight, Inc. +1 (408) 864 2662
Security Data Visualization: http://secviz.org
More information about the LogAnalysis
mailing list