Documentation Center
AlienVault® USM Appliance™

Event Correlation

Applies to Product: USM Appliance™ AlienVault OSSIM®

Event Correlation is a key process performed by the AlienVault USM Appliance systems.

What Is Correlation?

Correlation is a process performed by the correlation engine on the AlienVault USM Appliance Server. It identifies potential security threats by detecting behavior patterns across different types of assets, which produce disparate yet related events. Correlation links different events, turning data into more useful information.

The logs received and processed by USM Appliance carry important information such as what your users are doing, what data is being accessed, how your system and network are performing, and if there are any security threats or attacks taking place. However, reading raw logs has the following disadvantages

  • Logs vary from system to system or even from version to version on the same system
  • Logs have limited perspective, because each system sees events from its own perspective
  • Logs are static, fixed points in time, without the full context or sequence of related events

The correlation process on USM Appliance provides answers to these challenges, putting the events into full context. For example, a network firewall sees packets and network sessions, while an application sees users, data, and requests. While different systems report logs of similar activities, the way in which they articulate these activities is quite different. With the help of correlation directives, USM Appliance can correlate the two types of events, generating an alarm if a threat exists.

Event correlation enables security analysts and incident responders to:

  • Make informed decisions on how to respond to security threats
  • Validate effectiveness of existing security controls
  • Measure and report compliance
  • Detect policy violations

How Does Correlation Work?

Correlation typically associates multiple events, of the same or different event types, from the same data source.

After the USM Appliance Server receives normalized events from a USM Appliance Sensor, it evaluates the events against the policies, performs the risk assessment, and then does correlation. The correlation engine applies correlation rules to the events, generating new events, if pertinent, with higher priority and/or reliability values. In such cases, USM Appliance injects the event into the USM Appliance Server as a new event, so that it goes through the same processing sequence again.

An event is required to trigger the subsequent steps in a directive correlation. In instances when an event is not received, the directive will close with a timeout, and no new alarms will be created beyond the ones previously initiated by the directive.

Event processing on the USM Server.

Event processing on the USM Appliance Server

Correlation directives, which contain one or more correlation rules, determine whether or not to connect certain events. The following figure shows a high-level example of a correlation directive. This directive detects brute force authentication events by connecting two types of events, Failed Logins and Successful Login. Based on the number of occurrences of individual events, the correlation engine can conclude that the event represents a case of an administrator mistyping a password (one failed login attempt followed by a successful login), a successful brute force attack with low reliability (10 failed login attempts followed by a successful login), or a successful brute force attack with high reliability (100,000 failed login attempts followed by a successful login). All these events need to come from the same IP address and go to the same IP address, in order for the directive event to be created. The correlation engine can also take into account the reputation of source and destination IP addresses, such as Country of Origin, and match specific rules only if an event is coming from, or destined to, a host with a bad reputation.

Correlation directive example—detecting brute force attacks.

Correlation directive example — detecting brute force attacks

AlienVault OSSIM Limitations: USM Appliance includes a faster and more robust correlation section with more complex correlation directives. AlienVault OSSIM has a smaller number of correlation directives, but you are allowed to customize and build your own directives based on your needs.