SlideShare a Scribd company logo

The correlation advantages of ANET SURELOG International Edition SIEM product

Ertugrul Akbas
Ertugrul Akbas

ANET SURELOG International Edition has many advantages compared to its rivals in terms of the speed of log collection, big data infrastructure, compliance reports, its speed, ease of use, user interface, the number of devices supported, distributed architecture, taxonomy and correlation features. The most important feature of SIEM products is correlation. It analyzes too many different logs and makes correlation to get the exact result.

Technology
1 of 14
Download to read offline
THE CORRELATION ADVANTAGES OF ANET SURELOG INTERNATIONAL EDITION SIEM PRODUCT
TABLE OF CONTENTS THE CORRELATION ADVANTAGES OF ANET SURELOG INTERNATIONAL EDITION SIEM PRODUCT..... 1 The advantages of SureLog correlation engine:...................................................................................... 3 The taxonomy:..................................................................................................................................... 3 Logs and detected taxonomy examples:......................................................................................... 5 The scenario based rules:.................................................................................................................... 7 Correlating more than one rules by order or time.......................................................................... 8 The logical independence.............................................................................................................. 10 The thrashold rules:....................................................................................................................... 10 Threat Intelligence:............................................................................................................................ 11 Example correlation rules: ................................................................................................................ 12 IntelligentResponse........................................................................................................................... 14 ANET SURELOG International Edition has many advantages compared to its rivals in terms of the speed of log collection, big data infrastructure, compliance reports, its speed, ease of use, user interface, the number of devices supported, distributed architecture, taxonomy and correlation features. The most important feature of SIEM products is correlation. It analyzes too many different logs and makes correlation to get the exact result. Before we mention about the correlation advantages of ANET SURELOG International Edition product, to explain the main features of the correlation:  SureLog is fast -Supports 50,000 EPS with thousands of rules  Rule Chains.  Advanced correlation rules  SureLog supports rule suspending. Preventing rule firing for a defined time period. Suspend Rule A 1 hour after fire  Compression-based correlation. Monitors multiple occurrences of the same event, removes redundancies and reports them as a single event.Time-based correlation  Has a visual user interface for writing correlation rules.  Has TAG feature which doesn’t exist even in many global products (Adding fields automatically or manually by the user).  Threshold-based correlation. Has a threshold to trigger a report when a specified number of similar events occur.  Filter-based correlation. Inspects each event to determine if it matches a pattern defined by a regular expression. If a match is found, an action may be triggered as specified in the rule.
 Sequence-based correlation. Helps to establish causality of events. Events can be correlated based on specific sequential relationships. For example, synchronizing multiple events such as event A being followed by event B to trigger an action.  Time-based correlation  Supports non-negative case rules which doesn't exist event in many global products  Supports Context base correlation which doesn’t exist even in many global products.  Supports hierarchical correlation which doesn’t exist even in many global products.  Supports dynamic correlation list management which doesn’t exist even in many global products.  It has a wide support of operators. For example: The advantages of SureLog correlation engine: The advantages of SureLog product compared to existing SIEM products are explained in this part. These advantages are divided into four main categories:  The taxonomy  The scenario based rules  Threat Intelligence  IntelligentResponse The taxonomy: The taxonmy is defined as grouping in the simplest way. To give an example:  A Router login process  A switch login process  A Firewall login process  A Windows server login process  A Linux login process
All these login processes are handled to be grouped as login process under a single group and then it both enables to report with one single click “Report all login processes in my network” and write correlation rule such as After UTM device blocks 15 packets from the same IP as infected and in 5 minutes if login attempt to network occurs, mail the machine information which makes this login attempt and the machine information exposed to this login attempt. Taxonomy is a mapping of information from heterogeneous sources to a common classification. A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards Taxonomy is the process of creating and adding precious log type (group) information into the normalized event with the result of evaluation of the signature database of the source, pointers in log (like system-alert-00016), and the direct meanings(zone untrust, int untrust contained in the log. Some of the existing 1537 taxonomy groups in SureLog: Reconnaissance->Scan->Host • TCPTrafficAudit->TCP SYN Flag • ICMPTrafficAudit • NamingTrafficAudit • Malicious->Web->SQL • Flow->Fragmentation • httpproxy->TrafficAuditaccept • HTTPDynamicContentAccess • WebTrafficAudit.Web Content • HealthStatus.Informational.Traffic.Start • Malicious.BufferOverflow • Malicious.Trojan • PolicyViolation • Malicious.Web.Attack
Logs and detected taxonomy examples: Fortigate o Log: date=2014-05-11 time=18:52:15 devname=JLL_FW devid=FG200B3910602686 logid=0419016384 type=utmsubtype=ipseventtype=signaturelevel=alertvd="root" severity=lowsrcip=192.168.100.45 dstip=192.168.100.45 srcintf="port2" dstintf="Vlan_3" policyid=49 identidx=0 sessionid=388914 status=detectedproto=6 service=http count=1 attackname="ZmEu.Vulnerability.Scanner" srcport=38281 dstport=80 attackid=30024 sensor="all_default_pass" ref="http://www.fortinet.com/ids/VID30024" incidentserialno=1432164121 msg="web_app3: ZmEu.Vulnerability.Scanner," o Taxonamy :HTTPDynamicContentAccess Netscreen o Log:2010-05-27 10:52:57 Local0.Notice 192.168.0.251 Prolink_SSG20: NetScreendevice_id=Prolink_SSG20 [Root]system-notification-00257(traffic): start_time="2010-05-27 09:53:44" duration=304 policy_id=190 service=http proto=6 srczone=DMZ dstzone=Untrustaction=Permit sent=788 rcvd=558 src=172.16.0.200 dst=91.191.162.21 src_port=57693 dst_port=80 src-xlated ip=85.99.239.110 port=2976 dst-xlated ip=91.191.162.21 port=80 session_id=7456 reason=Close - AGE OUT<000> o Taxonamy :TCPTrafficAudit. Paloalto o Log:Jan 6 18:26:27 1,2012/01/06 18:26:27,0004C100842,THREAT,url,1,2012/01/06 18:26:25,10.141.0.96,84.51.27.173,0.0.0.0,0.0.0.0,Default Out,superfreshmun001tr,,web- browsing,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,anet,2012/01/06 18:26:26,51273,1,1924,80,0,0,0x8000,tcp,alert,"mobis.ulker.com.tr/dss/raporlar/ra p_anlik_satis.aspx",(9999),Kerevitas_WhiteList,informational,client-to- server,0,0x0,10.0.0.0-10.255.255.255,Turkey,0,text/html o Taxonamy :WebTrafficAudit.Web Content Sonicwall o Log:<134>id=firewall sn=0017C5598622 time="2011-02-13 16:20:31" fw=81.214.84.237 pri=6 c=1024 m=537 msg="Connection Closed" n=0 src=81.214.84.237:4854:X1: dst=195.175.39.40:53:X1:ttdns40.ttnet.net.tr proto=udp/dns sent=75 rcvd=414 o Taxonamy :NamingTrafficAudit Cisco Pix
o Log:Aug 17 2011 15:04:42 212.109.105.1 : %PIX-6-302013: Builtinbound TCP connection 2493108 for outside:78.187.203.198/16884 (78.187.203.198/16884) to inside:192.168.147.2/80 (212.109.105.3/80} o Taxonamy :HealthStatus.Informational.Traffic.Start Snort o Log:09/22-21:03:36.341625 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executablecodewasdetected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035 o Taxonamy : Malicious.BufferOverflow o Log:09/22-21:03:36.341958 [**] [1:2013976:10] ET TROJAN Zeus POST RequesttoCnC - URL agnostic [**] [Classification: A Network Trojanwasdetected] [Priority: 1] {TCP} 192.168.3.65:1036 -> 188.72.243.72:80 o Taxonamy : Malicious.Trojan o Log:09/22-21:03:36.306197 [**] [1:2014819:1] ET INFO PackedExecutableDownload [**] [Classification: Miscactivity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033 o Taxonamy : PolicyViolation o Log:09/22-21:03:36.306197 [**] [1:15306:12] FILE-IDENTIFY PortableExecutablebinary file magicdetection [**] [Classification: Miscactivity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033 o Taxonamy : Malicious.Web.Attack The taxonomy module in the correlation wizard is shown in the following figure: SureLog International Edition has about 3 million signatures for about 350 log types. SureLog Taxonomy Examples:
 “SuccessfulLogin”  “Malicious DNS Attack”  “CompromisedVirusAttachmentNotCleaned”  “Informational VPN TunnelFailed”  “Informational.Traffic.Start” The taxonomy process:  Word bases, Word(s), service combinations,  System signatures (fingerprints) through which data is collected.  And such.. The taxonomy process is done in the result of various combinations and signification process according to incoming data. A sensor in sentence decides to examine which parts in the incoming data. For more information about Taxonomy : https://www.novell.com/developer/plugin-sdk/sentinel_taxonomy.html http://www.slideshare.net/anetertugrul/sure-log-context-sensitive-scalable-siem-solution http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi The scenario based rules: Bring scenario-based approach to events. It just examines all rather than analyzing individual logs. A sample rule: 1. Warn if user A can’t log into server X and caused failed authentication and in two hours if that user A can’t log into the same server X To develop scenario based rule:  Rule Severity: Running more than one rules by order or according to time relation among them.  Another correlation rule should be created from more than one correlation.  The rule of realization of some parts of more than one different events during a certain period of time sequentially, not realization of the others ( X ' not Y) should be written.  The rule of more than different events during a certain period of time sequentially ( X ' Y) should be written.  The priority value should be given for each correlation rule.
Correlating more than one rules by order or time It is possible to correlate and conclude any deduction for more than rules according to source IP, destination IP, Computer name, and the source and destination ports are the same or not relation by relating by order or time relation. For example: After 15 packets are blocked from the same IP in one minute, warn if successful login is occurred to that IP. After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP in 5 minutes.
In the same way by following the logic above, the rule of realization of some parts of more than one different events during a certain period of time sequentially, not realization of the others ( X ' not Y) should be written. As shown in the editor above It is possible to create alarm in the form of first Part1_rule occurs, then not_port rule occurs and then part_3 rule occurs.
The logical independence It is necessary full flexibility when setting up the relations among logs for developing a scenario based rule. Any property of any log normalized should be correlated with the property of another log (For example: Source IP) and then logical operations should be done. SureLog.Int.Ed provides this. Example: Warn if user A can’t log into server X and caused failed authentication and in two hours if that user A can’t log into the same server X As seen from the rule above, it is expected to be user (A) and server (X) at every two logs. It is also expected to not occur the second event in the second step of the scenario during a specified time. The threshold rules: The threshold rules are used to detect the realization situation of one or many different events many times within a specified time (time window). This rule development wizard is shown in the below. TheSameEvents and DifferentEvents settings is an outstanding feature according to similar products from which such rules are written. In addition, the result resulting in from this counting feature can be connected to another rule. For example: If 15 packets are blocked from the same source in the system for being infected from virus, if successful login occurs to the same source in 5 minutes, detect the machine makes this successful login attempt.
Threat Intelligence:  Threat Intelligence is integrated with different global sources (IP BlockList, Spammersetc.. ) and takes black lists from there and works as warning system by using these data.
Example correlation rules:  After the security device are blocked 15 packets from the same source, Detect if someone log into the system from any point (Linux, Windows, router, switch, firewall,etc.)  A sample correlation rule/SIEM for Port/Network scan detection: Warn if port access attempts are occurred to 100 different ports from the same source IP to the same destination IP in one hour.  After any user tries 3 or more failed logon attempts to any system (Firewall,Windows,Linux,Switch, etc.) in one hour, warn the all failed logon attempts of that user during the next 7 (X day) days.  Warn if 60 connections are established from the different sources to the same IP and destination port in one minute.  After 15 packets are blocked from the same IP in one minute, warn if successful login is occurred to that IP.  Detect the IP address which makes 100 requests to port 22 of different IPs in one hour.  A sample correlation rule /SIEM for Fraud detection: If the same user tries to access your system via different countries, probably fraud is done by that user.  If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this: Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP, destination port is 67, and destination IP is not in registered IP list.
 Is there someone making RDP scan? A sample correlation rule for detecting this: Detect the IP address which makes 100 requests to TCP port 3389 of different IPs in one hour.  Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.  After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP in 5 minutes.  If 15 packets are blocked from the same source in the system for being infected from virus, if successful login occurs to the same source in 5 minutes, detect the machine makes this successful login attempt.  Warn if a new user account is created and accessed to the system with this user and get failed login.  Warn If the same user logs into Linux server and then logs into Windows server and then a service is stopped in either of these two servers.  Your technical consultants connect to your company via RDP remotely and makes connection to their consultancy system either with portal or using client. A special correlation rule which you can use in such situations: Warn if a user logs into the system and then in 10 minutes if that user can’t log in through portallogin.html or can’t run saplogon.exe.  A sample correlation rule for Brute-force attempt detection: If too many failed login attempts ocur from the same IP for the same or different users in a short time, these logs could be the sign of a brute-force attempt.  Warn if an IP which is reported by UTM/IDS/IPS as the source of an attack, becomes the target of another attack in the last 15 minutes.  If the traffic of any user is blocked a firewall rule X times in one second, detect this user and the rule blocking this.  Warn if user A can’t log into server X and caused failed authentication and in two hours if that user A can’t log into the same server X or take action.  Warn if first event A, then if event B, if event C occurs in 5 minutes and then if event D occurs.  Warn if first event A, then if event B, if event C doesn't occur in 5 minutes and then if event D occurs.  Warn if cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat dosyaları batch files are uploaded to be executed to web server remotely.  W32.Blaster Worm: Warn 10 deny or successful anonymous login attempt occurs in one minute.  Warn if a user can’t log into the system and caused failed authentication and in two hours if email is sent from that user’s account despite that user doesn’t login into the system.  Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.  If a host scan is made by an IP and then if a successful connection is established by the same IP and then backward connection is established from connected IP to connecting IP.
 Warn if more than 100 connections are established from the different external IPs to the same destination IP in one minute.  Warn if 100 connections are established from the same external IP through different ports to the same destination IP in one minute.  Warn if the same user tries more than three failed logon attempts to the same machine in an hour.  Warn once if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each, you are exposed to yourself DDOS attack.)  Report the source IP which causes UnusualUDPTraffic.  Warn if a traffic is occurred to a source or from a source in IPReputation list.  Warn if network traffic occurs from the source or to a source in malicious link list published by National Cyber Response to Events (NCRE) Center.  Warn if an IP scan occurs.  Warn if SQL attack occurs via web server.  Warn if the same user tries more than three failed logon attempts to different machines in an minute. IntelligentResponse ANET SureLog SIEM product can handle correlation alerts and actions in smart way through intelligent response system. The power of this modele called Intelligent Response in fact emerges the power of correlation engine. Although SureLog product’s correlation engine is built upon fully visual wizards and drag & drop, the easily created rules through visual wizards are converted to JAVA [5] codes in the bacground and is run as a program thread. In this way, the users who know JAVA can create correlation rules by writing JAVA codes with the expertmode feature included in only SureLog product in the world and thereby all kinds of logic with either visual wizards or java codes can be run without any limit. http://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144

Recommended

ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseErtugrul Akbas
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Ertugrul Akbas
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...Ertugrul Akbas
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Ertugrul Akbas
 
Why taxonomy is critical
Why taxonomy is criticalWhy taxonomy is critical
Why taxonomy is criticalErtugrul Akbas
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningErtugrul Akbas
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitationRaghunath G
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 

Recommended

ANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseANET SureLog SIEM IntelligentResponse
ANET SureLog SIEM IntelligentResponseErtugrul Akbas
 
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Monitoring Privileged User Actions for Security and Compliance with SureLog: ...
Monitoring Privileged User Actions for Security and Compliance with SureLog: ...Ertugrul Akbas
 
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...
SIEM Surelog Arcsight Qradar LogRhythm Alienvault Solarwinds LEM Performance...Ertugrul Akbas
 
Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Context Driven Scalable SIEM Solution
Context Driven Scalable SIEM Solution Ertugrul Akbas
 
Why taxonomy is critical
Why taxonomy is criticalWhy taxonomy is critical
Why taxonomy is criticalErtugrul Akbas
 
Enhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningEnhancing SIEM Correlation Rules Through Baselining
Enhancing SIEM Correlation Rules Through BaseliningErtugrul Akbas
 
Seh based exploitation
Seh based exploitationSeh based exploitation
Seh based exploitationRaghunath G
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
ubantu mod security
ubantu mod securityubantu mod security
ubantu mod securityKunal gupta
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with MetasploitMohammed Danish Amber
 
Command injection komal_armarkar
Command injection komal_armarkarCommand injection komal_armarkar
Command injection komal_armarkarKomal Armarkar
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...Ertugrul Akbas
 
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...Ertugrul Akbas
 
SureLog SIEM Jobs
SureLog SIEM JobsSureLog SIEM Jobs
SureLog SIEM JobsErtugrul Akbas
 
Log Yönetiminde Gerçek Veriler ve Tutarlı Analiz
Log Yönetiminde Gerçek Veriler ve Tutarlı AnalizLog Yönetiminde Gerçek Veriler ve Tutarlı Analiz
Log Yönetiminde Gerçek Veriler ve Tutarlı AnalizErtugrul Akbas
 
Anet SureLog SIEM IntelligentResponse
Anet SureLog SIEM IntelligentResponse Anet SureLog SIEM IntelligentResponse
Anet SureLog SIEM IntelligentResponse Ertugrul Akbas
 
ANET SureLog SIEM avantajları
ANET SureLog SIEM avantajlarıANET SureLog SIEM avantajları
ANET SureLog SIEM avantajlarıErtugrul Akbas
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEMErtugrul Akbas
 
Machine learning scientist
Machine learning scientistMachine learning scientist
Machine learning scientistErtugrul Akbas
 
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...Ertugrul Akbas
 
Log siem korelasyon
Log siem korelasyonLog siem korelasyon
Log siem korelasyonErtugrul Akbas
 
5651 sayili kanun
5651 sayili kanun5651 sayili kanun
5651 sayili kanunErtugrul Akbas
 
Güvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaGüvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaErtugrul Akbas
 
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...Ertugrul Akbas
 
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...Ertugrul Akbas
 

More Related Content

What's hot

ubantu mod security
ubantu mod securityubantu mod security
ubantu mod securityKunal gupta
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияPositive Hack Days
 
Command injection komal_armarkar
Command injection komal_armarkarCommand injection komal_armarkar
Command injection komal_armarkarKomal Armarkar
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данныхPositive Hack Days
 

What's hot (7)

ubantu mod security
ubantu mod securityubantu mod security
ubantu mod security
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
 
Pen-Testing with Metasploit
Pen-Testing with MetasploitPen-Testing with Metasploit
Pen-Testing with Metasploit
 
Command injection komal_armarkar
Command injection komal_armarkarCommand injection komal_armarkar
Command injection komal_armarkar
 
На страже ваших денег и данных
На страже ваших денег и данныхНа страже ваших денег и данных
На страже ваших денег и данных
 

Viewers also liked

Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...Ertugrul Akbas
 
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...Ertugrul Akbas
 
Log Yönetiminde Gerçek Veriler ve Tutarlı Analiz
Log Yönetiminde Gerçek Veriler ve Tutarlı AnalizLog Yönetiminde Gerçek Veriler ve Tutarlı Analiz
Log Yönetiminde Gerçek Veriler ve Tutarlı AnalizErtugrul Akbas
 
Anet SureLog SIEM IntelligentResponse
Anet SureLog SIEM IntelligentResponse Anet SureLog SIEM IntelligentResponse
Anet SureLog SIEM IntelligentResponse Ertugrul Akbas
 
ANET SureLog SIEM avantajları
ANET SureLog SIEM avantajlarıANET SureLog SIEM avantajları
ANET SureLog SIEM avantajlarıErtugrul Akbas
 
Machine learning scientist
Machine learning scientistMachine learning scientist
Machine learning scientistErtugrul Akbas
 
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...Ertugrul Akbas
 
Güvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaGüvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaErtugrul Akbas
 
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...Ertugrul Akbas
 
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...Ertugrul Akbas
 
Log yonetimi korelasyon ve SIEM
Log yonetimi korelasyon ve SIEMLog yonetimi korelasyon ve SIEM
Log yonetimi korelasyon ve SIEMErtugrul Akbas
 
SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?
SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?
SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?Ertugrul Akbas
 
Camila martin
Camila martinCamila martin
Camila martinacrosinus
 

Viewers also liked (19)

Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
 
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
Log yonetmi ve siem ürünlerinde veri analizi, sonuclarin tutarliligi ve dogru...
 
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
ANET SURELOG INTERNATIONAL EDITION SIEM ÜRÜNÜNÜN KORELASYON İLE İLGİLİ ÜSTÜNL...
 
SureLog SIEM Jobs
SureLog SIEM JobsSureLog SIEM Jobs
SureLog SIEM Jobs
 
Log Yönetiminde Gerçek Veriler ve Tutarlı Analiz
Log Yönetiminde Gerçek Veriler ve Tutarlı AnalizLog Yönetiminde Gerçek Veriler ve Tutarlı Analiz
Log Yönetiminde Gerçek Veriler ve Tutarlı Analiz
 
Anet SureLog SIEM IntelligentResponse
Anet SureLog SIEM IntelligentResponse Anet SureLog SIEM IntelligentResponse
Anet SureLog SIEM IntelligentResponse
 
ANET SureLog SIEM avantajları
ANET SureLog SIEM avantajlarıANET SureLog SIEM avantajları
ANET SureLog SIEM avantajları
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
Machine learning scientist
Machine learning scientistMachine learning scientist
Machine learning scientist
 
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
SureLog SIEM Compliancy Korelasyon Log Yonetimi Tehdit istihbarati Threat Int...
 
Log siem korelasyon
Log siem korelasyonLog siem korelasyon
Log siem korelasyon
 
5651 sayili kanun
5651 sayili kanun5651 sayili kanun
5651 sayili kanun
 
Güvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaGüvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglama
 
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
Hep İşin Geyiğini Yapıyoruz: AR-GE, İnovasyon, Endüstri 4.0, Ahlak, Eğitim, P...
 
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
SIEM ÜRÜNLERİ GÖRÜNÜŞTE BİRBİRİNE BENZİYOR HATTA LOG YÖNETİMİ ÇÖZÜMÜ OLUP DA ...
 
Log yonetimi korelasyon ve SIEM
Log yonetimi korelasyon ve SIEMLog yonetimi korelasyon ve SIEM
Log yonetimi korelasyon ve SIEM
 
SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?
SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?
SIEM ÇÖZÜMLERİNDE TAXONOMY NE İŞE YARAR?
 
Camila martin
Camila martinCamila martin
Camila martin
 
Why SureLog?
Why SureLog?Why SureLog?
Why SureLog?
 

Similar to The correlation advantages of ANET SURELOG International Edition SIEM product

Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlationfrantzyv
 
ANET SureLog International Edition Main Advantages
ANET SureLog International Edition Main AdvantagesANET SureLog International Edition Main Advantages
ANET SureLog International Edition Main AdvantagesMurat Korucu
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Mustafa Kuğu
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderBMST
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09pladott11
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Enrique Martin
 
Monitor(karthika)
Monitor(karthika)Monitor(karthika)
Monitor(karthika)Nagarajan
 
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday SeasonIosif Itkin
 
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Brian Brazil
 
Test automation: Are Enterprises ready to bite the bullet?
Test automation: Are Enterprises ready to bite the bullet?Test automation: Are Enterprises ready to bite the bullet?
Test automation: Are Enterprises ready to bite the bullet?Aspire Systems
 
DevOps_SelfHealing
DevOps_SelfHealingDevOps_SelfHealing
DevOps_SelfHealingAtul Dhingra
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfLeninHernnCortsLlang
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluationasundaram1
 
Netop Remote Control Security Overview
Netop Remote Control Security OverviewNetop Remote Control Security Overview
Netop Remote Control Security OverviewNetop
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDatacomsystemsinc
 

Similar to The correlation advantages of ANET SURELOG International Edition SIEM product (20)

Sure log full
Sure log fullSure log full
Sure log full
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
ANET SureLog International Edition Main Advantages
ANET SureLog International Edition Main AdvantagesANET SureLog International Edition Main Advantages
ANET SureLog International Edition Main Advantages
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoring
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior Recorder
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09
 
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
Industrial Control System Network Cyber Security Monitoring Solution (SCAB)
 
Monitor(karthika)
Monitor(karthika)Monitor(karthika)
Monitor(karthika)
 
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
20 Simple Questions from Exactpro for Your Enjoyment This Holiday Season
 
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
 
Test automation: Are Enterprises ready to bite the bullet?
Test automation: Are Enterprises ready to bite the bullet?Test automation: Are Enterprises ready to bite the bullet?
Test automation: Are Enterprises ready to bite the bullet?
 
DevOps_SelfHealing
DevOps_SelfHealingDevOps_SelfHealing
DevOps_SelfHealing
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdf
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
Netop Remote Control Security Overview
Netop Remote Control Security OverviewNetop Remote Control Security Overview
Netop Remote Control Security Overview
 
Agents vs Agentless
Agents vs AgentlessAgents vs Agentless
Agents vs Agentless
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
 

More from Ertugrul Akbas

BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...
BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...
BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...Ertugrul Akbas
 
Olay Müdahale İçin Canlı Kayıtların Saklanmasının Önemi
Olay Müdahale İçin Canlı Kayıtların Saklanmasının ÖnemiOlay Müdahale İçin Canlı Kayıtların Saklanmasının Önemi
Olay Müdahale İçin Canlı Kayıtların Saklanmasının ÖnemiErtugrul Akbas
 
SOC ve SIEM Çözümlerinde Korelasyon
SOC ve SIEM Çözümlerinde KorelasyonSOC ve SIEM Çözümlerinde Korelasyon
SOC ve SIEM Çözümlerinde KorelasyonErtugrul Akbas
 
SIEM den Maksimum Fayda Almak
SIEM den Maksimum Fayda AlmakSIEM den Maksimum Fayda Almak
SIEM den Maksimum Fayda AlmakErtugrul Akbas
 
SureLog SIEM Fast Edition Özellikleri ve Fiyatı
SureLog SIEM Fast Edition Özellikleri ve FiyatıSureLog SIEM Fast Edition Özellikleri ve Fiyatı
SureLog SIEM Fast Edition Özellikleri ve FiyatıErtugrul Akbas
 
SureLog SIEM Fast Edition
SureLog SIEM Fast EditionSureLog SIEM Fast Edition
SureLog SIEM Fast EditionErtugrul Akbas
 
SureLog intelligent response
SureLog intelligent responseSureLog intelligent response
SureLog intelligent responseErtugrul Akbas
 
SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).
SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).
SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).Ertugrul Akbas
 
Detecting attacks with SureLog SIEM
Detecting attacks with SureLog SIEMDetecting attacks with SureLog SIEM
Detecting attacks with SureLog SIEMErtugrul Akbas
 
SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması
SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması
SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması Ertugrul Akbas
 

More from Ertugrul Akbas (20)

BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...
BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...
BDDK, SPK, TCMB, Cumhurbaşkanlığı Dijital Dönüşüm Ofisi ve ISO27001 Denetiml...
 
Olay Müdahale İçin Canlı Kayıtların Saklanmasının Önemi
Olay Müdahale İçin Canlı Kayıtların Saklanmasının ÖnemiOlay Müdahale İçin Canlı Kayıtların Saklanmasının Önemi
Olay Müdahale İçin Canlı Kayıtların Saklanmasının Önemi
 
SOC ve SIEM Çözümlerinde Korelasyon
SOC ve SIEM Çözümlerinde KorelasyonSOC ve SIEM Çözümlerinde Korelasyon
SOC ve SIEM Çözümlerinde Korelasyon
 
SIEM den Maksimum Fayda Almak
SIEM den Maksimum Fayda AlmakSIEM den Maksimum Fayda Almak
SIEM den Maksimum Fayda Almak
 
SureLog SIEM Fast Edition Özellikleri ve Fiyatı
SureLog SIEM Fast Edition Özellikleri ve FiyatıSureLog SIEM Fast Edition Özellikleri ve Fiyatı
SureLog SIEM Fast Edition Özellikleri ve Fiyatı
 
Neden SureLog?
Neden SureLog?Neden SureLog?
Neden SureLog?
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
SureLog SIEM Fast Edition
SureLog SIEM Fast EditionSureLog SIEM Fast Edition
SureLog SIEM Fast Edition
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
SureLog intelligent response
SureLog intelligent responseSureLog intelligent response
SureLog intelligent response
 
SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).
SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).
SureLog SIEM Has The Best On-Line Log Retention Time (Hot Storage).
 
Detecting attacks with SureLog SIEM
Detecting attacks with SureLog SIEMDetecting attacks with SureLog SIEM
Detecting attacks with SureLog SIEM
 
SureLog SIEM
SureLog SIEMSureLog SIEM
SureLog SIEM
 
Siem tools
Siem toolsSiem tools
Siem tools
 
KVKK
KVKKKVKK
KVKK
 
SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması
SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması
SIEM ve KVKK Teknik Tedbirlerinin ANET SureLog SIEM ile uygulanması
 

Recently uploaded

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

The correlation advantages of ANET SURELOG International Edition SIEM product

  • 1. THE CORRELATION ADVANTAGES OF ANET SURELOG INTERNATIONAL EDITION SIEM PRODUCT
  • 2. TABLE OF CONTENTS THE CORRELATION ADVANTAGES OF ANET SURELOG INTERNATIONAL EDITION SIEM PRODUCT..... 1 The advantages of SureLog correlation engine:...................................................................................... 3 The taxonomy:..................................................................................................................................... 3 Logs and detected taxonomy examples:......................................................................................... 5 The scenario based rules:.................................................................................................................... 7 Correlating more than one rules by order or time.......................................................................... 8 The logical independence.............................................................................................................. 10 The thrashold rules:....................................................................................................................... 10 Threat Intelligence:............................................................................................................................ 11 Example correlation rules: ................................................................................................................ 12 IntelligentResponse........................................................................................................................... 14 ANET SURELOG International Edition has many advantages compared to its rivals in terms of the speed of log collection, big data infrastructure, compliance reports, its speed, ease of use, user interface, the number of devices supported, distributed architecture, taxonomy and correlation features. The most important feature of SIEM products is correlation. It analyzes too many different logs and makes correlation to get the exact result. Before we mention about the correlation advantages of ANET SURELOG International Edition product, to explain the main features of the correlation:  SureLog is fast -Supports 50,000 EPS with thousands of rules  Rule Chains.  Advanced correlation rules  SureLog supports rule suspending. Preventing rule firing for a defined time period. Suspend Rule A 1 hour after fire  Compression-based correlation. Monitors multiple occurrences of the same event, removes redundancies and reports them as a single event.Time-based correlation  Has a visual user interface for writing correlation rules.  Has TAG feature which doesn’t exist even in many global products (Adding fields automatically or manually by the user).  Threshold-based correlation. Has a threshold to trigger a report when a specified number of similar events occur.  Filter-based correlation. Inspects each event to determine if it matches a pattern defined by a regular expression. If a match is found, an action may be triggered as specified in the rule.
  • 3.  Sequence-based correlation. Helps to establish causality of events. Events can be correlated based on specific sequential relationships. For example, synchronizing multiple events such as event A being followed by event B to trigger an action.  Time-based correlation  Supports non-negative case rules which doesn't exist event in many global products  Supports Context base correlation which doesn’t exist even in many global products.  Supports hierarchical correlation which doesn’t exist even in many global products.  Supports dynamic correlation list management which doesn’t exist even in many global products.  It has a wide support of operators. For example: The advantages of SureLog correlation engine: The advantages of SureLog product compared to existing SIEM products are explained in this part. These advantages are divided into four main categories:  The taxonomy  The scenario based rules  Threat Intelligence  IntelligentResponse The taxonomy: The taxonmy is defined as grouping in the simplest way. To give an example:  A Router login process  A switch login process  A Firewall login process  A Windows server login process  A Linux login process
  • 4. All these login processes are handled to be grouped as login process under a single group and then it both enables to report with one single click “Report all login processes in my network” and write correlation rule such as After UTM device blocks 15 packets from the same IP as infected and in 5 minutes if login attempt to network occurs, mail the machine information which makes this login attempt and the machine information exposed to this login attempt. Taxonomy is a mapping of information from heterogeneous sources to a common classification. A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards Taxonomy is the process of creating and adding precious log type (group) information into the normalized event with the result of evaluation of the signature database of the source, pointers in log (like system-alert-00016), and the direct meanings(zone untrust, int untrust contained in the log. Some of the existing 1537 taxonomy groups in SureLog: Reconnaissance->Scan->Host • TCPTrafficAudit->TCP SYN Flag • ICMPTrafficAudit • NamingTrafficAudit • Malicious->Web->SQL • Flow->Fragmentation • httpproxy->TrafficAuditaccept • HTTPDynamicContentAccess • WebTrafficAudit.Web Content • HealthStatus.Informational.Traffic.Start • Malicious.BufferOverflow • Malicious.Trojan • PolicyViolation • Malicious.Web.Attack
  • 5. Logs and detected taxonomy examples: Fortigate o Log: date=2014-05-11 time=18:52:15 devname=JLL_FW devid=FG200B3910602686 logid=0419016384 type=utmsubtype=ipseventtype=signaturelevel=alertvd="root" severity=lowsrcip=192.168.100.45 dstip=192.168.100.45 srcintf="port2" dstintf="Vlan_3" policyid=49 identidx=0 sessionid=388914 status=detectedproto=6 service=http count=1 attackname="ZmEu.Vulnerability.Scanner" srcport=38281 dstport=80 attackid=30024 sensor="all_default_pass" ref="http://www.fortinet.com/ids/VID30024" incidentserialno=1432164121 msg="web_app3: ZmEu.Vulnerability.Scanner," o Taxonamy :HTTPDynamicContentAccess Netscreen o Log:2010-05-27 10:52:57 Local0.Notice 192.168.0.251 Prolink_SSG20: NetScreendevice_id=Prolink_SSG20 [Root]system-notification-00257(traffic): start_time="2010-05-27 09:53:44" duration=304 policy_id=190 service=http proto=6 srczone=DMZ dstzone=Untrustaction=Permit sent=788 rcvd=558 src=172.16.0.200 dst=91.191.162.21 src_port=57693 dst_port=80 src-xlated ip=85.99.239.110 port=2976 dst-xlated ip=91.191.162.21 port=80 session_id=7456 reason=Close - AGE OUT<000> o Taxonamy :TCPTrafficAudit. Paloalto o Log:Jan 6 18:26:27 1,2012/01/06 18:26:27,0004C100842,THREAT,url,1,2012/01/06 18:26:25,10.141.0.96,84.51.27.173,0.0.0.0,0.0.0.0,Default Out,superfreshmun001tr,,web- browsing,vsys1,Trust,Untrust,ethernet1/2,ethernet1/1,anet,2012/01/06 18:26:26,51273,1,1924,80,0,0,0x8000,tcp,alert,"mobis.ulker.com.tr/dss/raporlar/ra p_anlik_satis.aspx",(9999),Kerevitas_WhiteList,informational,client-to- server,0,0x0,10.0.0.0-10.255.255.255,Turkey,0,text/html o Taxonamy :WebTrafficAudit.Web Content Sonicwall o Log:<134>id=firewall sn=0017C5598622 time="2011-02-13 16:20:31" fw=81.214.84.237 pri=6 c=1024 m=537 msg="Connection Closed" n=0 src=81.214.84.237:4854:X1: dst=195.175.39.40:53:X1:ttdns40.ttnet.net.tr proto=udp/dns sent=75 rcvd=414 o Taxonamy :NamingTrafficAudit Cisco Pix
  • 6. o Log:Aug 17 2011 15:04:42 212.109.105.1 : %PIX-6-302013: Builtinbound TCP connection 2493108 for outside:78.187.203.198/16884 (78.187.203.198/16884) to inside:192.168.147.2/80 (212.109.105.3/80} o Taxonamy :HealthStatus.Informational.Traffic.Start Snort o Log:09/22-21:03:36.341625 [**] [1:12798:4] SHELLCODE base64 x86 NOOP [**] [Classification: Executablecodewasdetected] [Priority: 1] {TCP} 188.72.243.72:80 -> 192.168.3.65:1035 o Taxonamy : Malicious.BufferOverflow o Log:09/22-21:03:36.341958 [**] [1:2013976:10] ET TROJAN Zeus POST RequesttoCnC - URL agnostic [**] [Classification: A Network Trojanwasdetected] [Priority: 1] {TCP} 192.168.3.65:1036 -> 188.72.243.72:80 o Taxonamy : Malicious.Trojan o Log:09/22-21:03:36.306197 [**] [1:2014819:1] ET INFO PackedExecutableDownload [**] [Classification: Miscactivity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033 o Taxonamy : PolicyViolation o Log:09/22-21:03:36.306197 [**] [1:15306:12] FILE-IDENTIFY PortableExecutablebinary file magicdetection [**] [Classification: Miscactivity] [Priority: 3] {TCP} 188.72.243.72:80 -> 192.168.3.65:1033 o Taxonamy : Malicious.Web.Attack The taxonomy module in the correlation wizard is shown in the following figure: SureLog International Edition has about 3 million signatures for about 350 log types. SureLog Taxonomy Examples:
  • 7.  “SuccessfulLogin”  “Malicious DNS Attack”  “CompromisedVirusAttachmentNotCleaned”  “Informational VPN TunnelFailed”  “Informational.Traffic.Start” The taxonomy process:  Word bases, Word(s), service combinations,  System signatures (fingerprints) through which data is collected.  And such.. The taxonomy process is done in the result of various combinations and signification process according to incoming data. A sensor in sentence decides to examine which parts in the incoming data. For more information about Taxonomy : https://www.novell.com/developer/plugin-sdk/sentinel_taxonomy.html http://www.slideshare.net/anetertugrul/sure-log-context-sensitive-scalable-siem-solution http://www.slideshare.net/anetertugrul/siniflandirma-temell-korelasyon-yaklaimi The scenario based rules: Bring scenario-based approach to events. It just examines all rather than analyzing individual logs. A sample rule: 1. Warn if user A can’t log into server X and caused failed authentication and in two hours if that user A can’t log into the same server X To develop scenario based rule:  Rule Severity: Running more than one rules by order or according to time relation among them.  Another correlation rule should be created from more than one correlation.  The rule of realization of some parts of more than one different events during a certain period of time sequentially, not realization of the others ( X ' not Y) should be written.  The rule of more than different events during a certain period of time sequentially ( X ' Y) should be written.  The priority value should be given for each correlation rule.
  • 8. Correlating more than one rules by order or time It is possible to correlate and conclude any deduction for more than rules according to source IP, destination IP, Computer name, and the source and destination ports are the same or not relation by relating by order or time relation. For example: After 15 packets are blocked from the same IP in one minute, warn if successful login is occurred to that IP. After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP in 5 minutes.
  • 9. In the same way by following the logic above, the rule of realization of some parts of more than one different events during a certain period of time sequentially, not realization of the others ( X ' not Y) should be written. As shown in the editor above It is possible to create alarm in the form of first Part1_rule occurs, then not_port rule occurs and then part_3 rule occurs.
  • 10. The logical independence It is necessary full flexibility when setting up the relations among logs for developing a scenario based rule. Any property of any log normalized should be correlated with the property of another log (For example: Source IP) and then logical operations should be done. SureLog.Int.Ed provides this. Example: Warn if user A can’t log into server X and caused failed authentication and in two hours if that user A can’t log into the same server X As seen from the rule above, it is expected to be user (A) and server (X) at every two logs. It is also expected to not occur the second event in the second step of the scenario during a specified time. The threshold rules: The threshold rules are used to detect the realization situation of one or many different events many times within a specified time (time window). This rule development wizard is shown in the below. TheSameEvents and DifferentEvents settings is an outstanding feature according to similar products from which such rules are written. In addition, the result resulting in from this counting feature can be connected to another rule. For example: If 15 packets are blocked from the same source in the system for being infected from virus, if successful login occurs to the same source in 5 minutes, detect the machine makes this successful login attempt.
  • 11. Threat Intelligence:  Threat Intelligence is integrated with different global sources (IP BlockList, Spammersetc.. ) and takes black lists from there and works as warning system by using these data.
  • 12. Example correlation rules:  After the security device are blocked 15 packets from the same source, Detect if someone log into the system from any point (Linux, Windows, router, switch, firewall,etc.)  A sample correlation rule/SIEM for Port/Network scan detection: Warn if port access attempts are occurred to 100 different ports from the same source IP to the same destination IP in one hour.  After any user tries 3 or more failed logon attempts to any system (Firewall,Windows,Linux,Switch, etc.) in one hour, warn the all failed logon attempts of that user during the next 7 (X day) days.  Warn if 60 connections are established from the different sources to the same IP and destination port in one minute.  After 15 packets are blocked from the same IP in one minute, warn if successful login is occurred to that IP.  Detect the IP address which makes 100 requests to port 22 of different IPs in one hour.  A sample correlation rule /SIEM for Fraud detection: If the same user tries to access your system via different countries, probably fraud is done by that user.  If someone sets up DHCP server in your network or if a different gateway broadcasts, to find out this: Warn if a traffic occurs from inside to outside or from outside to inside whose protocol is UDP, destination port is 67, and destination IP is not in registered IP list.
  • 13.  Is there someone making RDP scan? A sample correlation rule for detecting this: Detect the IP address which makes 100 requests to TCP port 3389 of different IPs in one hour.  Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.  After 15 packets are blocked from the same IP, warn if successful login is occurred to that IP in 5 minutes.  If 15 packets are blocked from the same source in the system for being infected from virus, if successful login occurs to the same source in 5 minutes, detect the machine makes this successful login attempt.  Warn if a new user account is created and accessed to the system with this user and get failed login.  Warn If the same user logs into Linux server and then logs into Windows server and then a service is stopped in either of these two servers.  Your technical consultants connect to your company via RDP remotely and makes connection to their consultancy system either with portal or using client. A special correlation rule which you can use in such situations: Warn if a user logs into the system and then in 10 minutes if that user can’t log in through portallogin.html or can’t run saplogon.exe.  A sample correlation rule for Brute-force attempt detection: If too many failed login attempts ocur from the same IP for the same or different users in a short time, these logs could be the sign of a brute-force attempt.  Warn if an IP which is reported by UTM/IDS/IPS as the source of an attack, becomes the target of another attack in the last 15 minutes.  If the traffic of any user is blocked a firewall rule X times in one second, detect this user and the rule blocking this.  Warn if user A can’t log into server X and caused failed authentication and in two hours if that user A can’t log into the same server X or take action.  Warn if first event A, then if event B, if event C occurs in 5 minutes and then if event D occurs.  Warn if first event A, then if event B, if event C doesn't occur in 5 minutes and then if event D occurs.  Warn if cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat dosyaları batch files are uploaded to be executed to web server remotely.  W32.Blaster Worm: Warn 10 deny or successful anonymous login attempt occurs in one minute.  Warn if a user can’t log into the system and caused failed authentication and in two hours if email is sent from that user’s account despite that user doesn’t login into the system.  Warn if 5 failed logon attempts are tried with different usernames from the same IP to the same machine in 15 minutes and after that, if a successful login occurs from the same IP to any machine.  If a host scan is made by an IP and then if a successful connection is established by the same IP and then backward connection is established from connected IP to connecting IP.
  • 14.  Warn if more than 100 connections are established from the different external IPs to the same destination IP in one minute.  Warn if 100 connections are established from the same external IP through different ports to the same destination IP in one minute.  Warn if the same user tries more than three failed logon attempts to the same machine in an hour.  Warn once if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each, you are exposed to yourself DDOS attack.)  Report the source IP which causes UnusualUDPTraffic.  Warn if a traffic is occurred to a source or from a source in IPReputation list.  Warn if network traffic occurs from the source or to a source in malicious link list published by National Cyber Response to Events (NCRE) Center.  Warn if an IP scan occurs.  Warn if SQL attack occurs via web server.  Warn if the same user tries more than three failed logon attempts to different machines in an minute. IntelligentResponse ANET SureLog SIEM product can handle correlation alerts and actions in smart way through intelligent response system. The power of this modele called Intelligent Response in fact emerges the power of correlation engine. Although SureLog product’s correlation engine is built upon fully visual wizards and drag & drop, the easily created rules through visual wizards are converted to JAVA [5] codes in the bacground and is run as a program thread. In this way, the users who know JAVA can create correlation rules by writing JAVA codes with the expertmode feature included in only SureLog product in the world and thereby all kinds of logic with either visual wizards or java codes can be run without any limit. http://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144