Correlation Engine

Document created by chris on Oct 13, 2016
Version 1Show Document
  • View in full screen mode

SIEMonsters Advanced correlation engine utilizes dynamic asset/field collection for aggregation of events specific to a monitored asset. This enables analysis of all events relating to a specific asset, allowing Security operators to query and alert on anomalous activity. Key fields are extracted from each event log; these field names are modified to a standardized format across the board. A new correlation index is then created from these fields with key data being extracted via a Python script and added to a correlation list dynamically. This list data is then used as part of a query to track a particular asset. The asset could be a user, a server/workstation, a VPN access point, a Geo location/IP address, a firewall, a web proxy log, etc.

2 people found this helpful