Interactive Demo

Watch: What is Event Log Correlation?

Unified and Simplified SIEM Event Correlation

Implement SIEM with the five essential security capabilities you need for actionable security intelligence - in a single, unified console and workflow.

Download a Free Trial

AlienVault USM for Advanced SIEM Correlation

Security analysts and IT operations professionals rely on up-to-the-minute information about their environment, and the threats that may be impacting their business. The challenge is that the event log data produced by all of the network devices, servers, endpoints and applications provides only pieces of this puzzle, without any context to make effective decisions. SIEM event correlation delivers that big picture.

There are a few necessary steps when going from raw event log to actionable security intelligence, and AlienVault USM accelerates this process by simplifying each of these steps.

The Event Correlation Process

  1. Collect data from "in scope" devices. After performing built-in asset discovery and inventory scans, AlienVault USM will identify eligible device log data for import and integration.
  2. Normalize event log data. Unfortunately, the event log data produced by different devices looks very different. Leveraging its open API, AlienVault USM parses and normalizes log data for integration into our built-in SIEM analysis engine. With plug-ins for nearly 200 different devices, AlienVault USM can quickly convert raw event log data into actionable intelligence.
  3. Apply event correlation rules and logic. Most traditional, single-purpose SIEM correlation products don't offer very many built-in event correlation rules. In contrast, AlienVault USM provides more than 1500 event correlation rules, all optimized thanks to the essential security capabilities that are built-into USM. See below for more detail on how these event correlation rules work.
  4. Review alarms and investigate incidents. Any alarms produced by SIEM correlation should provide enough necessary context and "how to" guidance so that the security analyst knows what to do next. AlienVault USM's intuitive alarm taxonomy helps security analysts prioritize their efforts by highlighting "System Compromise" events over "Reconnaissance and Probing" activities that aren't as critical. Additionally, each alarm comes with customized, "how to" guidance in the form of dynamic incident response templates with step-by-step instructions on how to conduct an investigation based on the unique event correlation involved.
  5. Update rules with real-time threat intelligence. Attacks morph over time, and so should your event correlation rules. AlienVault USM is continually updated by AlienVault Labs threat intelligence. By analyzing millions of malware samples and malicious URLs each day, AlienVault Labs has discovered some of the most advanced and sophisticated attacker tools and techniques. These discoveries are incorporated into emerging threat updates, correlation rules and signatures automatically delivered to the USM platform for advanced event correlation and analysis.
  6. Repeat steps 1-5. When it comes to security intelligence, your work is never done. New threats emerge, new devices come online, and new questions will always need to be asked, and duly answered. Thankfully, AlienVault USM was designed for continuous log analysis, and optimized SIEM event correlation and reporting.

What is event log correlation?

In simple terms, event correlation provides the ability to discover and apply logical associations among disparate individual raw log events in order to:

  • Make informed security decisions
  • Identify and respond to security threats
  • Validate effectiveness of security controls
  • Measure and report on compliance with PCI, HIPAA, SOX, and other standards
  • Detect policy violations

How AlienVault USM Delivers SIEM Event Correlation

Built-in Essential Security Capabilities Power SIEM Correlation

Unlike single purpose event correlation software, AlienVault USM combines built-in asset discovery, vulnerability assessment, threat detection, behavioral monitoring and SIEM event correlation into a single management platform. As a result, AlienVault USM avoids the deployment challenge most event correlation software tools are faced with - notably a lack of actionable intelligence while complicated external third party data sources are implemented and integrated. As soon as USM is installed, asset discovery and vulnerability scans identify devices and their vulnerabilities. This data is then correlated with data from network IDS technologies such as snort and Suricata, and host-based IDS data from OSSEC. These rich data sources are analyzed by more than 1500 event correlation rules which are, in part, optimized for these built-in data sources. Even before any device event log data is correlated, AlienVault USM provides context-rich alarms for immediate response and investigation.

Specifically, AlienVault USM's built-in event correlation rules will detect these types of events:

  • Web service attacks (e.g. SQL injections, cross site scripting, etc.)
  • Client-side exploits (e.g. ActiveX, Javascript, etc.)
  • Bruteforce authentication attacks – across protocols (e.g. SSH, LDAP, NetBIOS, etc.)
  • Distributed denial of service attacks (DDoS)
  • Malware detection (e.g. ransomware, trojans, bots and more)
  • Common network attacks (e.g. IP spoofing, hijacking attempts, etc.)
  • Policy violations (e.g. anonymous proxy use, BitTorrent, P2P, etc.)
  • Other suspicious behavior (e.g. login from Tor network)

Unified Workflow, Dashboards and Reporting

Thanks to the rich set of security-relevant data available for event correlation in AlienVault USM, there are a variety of ways to slice and dice this information. With hundreds of reporting templates and modules to choose from, providing the right reports for your organization, and for your auditors is straightforward. Reporting templates for regulatory standards like PCI DSS, ISO 27001, and HIPAA simplify the audit process, and searching the raw event log data via our SIEM query interface means you can answer questions easily.

SIEM dashboard showing security-relevant event correlation data and information.
Search security events and raw event log data via a SIEM query interface to answer questions fast.

Get more than 1500 SIEM event correlation rules out of the box and easily customize for your organization.

Easily Customize Log Correlation Rules

Even though 1500 event correlation rules is comprehensive, there may be some event correlation scenarios that are specific to your organization, which require customized correlation. You may decide to apply custom log correlation rules for specific log sources, or in-house applications. Rather than starting from scratch, simply edit one of the built-in AlienVault event correlation directives.

Fuel Your Event Correlation with Crowd-sourced Threat Intelligence

Attacks are constantly morphing and changing, and so your monitoring and incident response capabilities should evolve as well. The best way to power your event correlation solution with emerging threat data is through the power of open and shared threat intelligence. With over 8,000 global collection points and contributors in over 140 countries, AlienVault Open Threat Exchange (OTX) is the world's largest crowd-sourced threat intelligence exchange. AlienVault Labs security researchers continually mine this rich and diverse set of data to deliver updated event correlation rules to the AlienVault USM sensors to detect the latest threats.

AlienVault Labs

Next Steps

Test Drive

Free Trial

Download your free 30-day trial
Live Demo

Live Demo

Request a live demo and get your questions answered
Learn More

Learn More

Learn more about AlienVault Unified Security Management
Contact Us

Contact Us