The document discusses how to utilize and customize correlation directives in AlienVault for enhancing security by turning event data into actionable alarms. It provides guidance on creating custom directives, setting correlation rules based on specific events, and managing alarms effectively. Best practices emphasize configuring directives with appropriate priority and reliability values while leveraging built-in directives for learning and adaptation.

2. Agenda
A review of the built-in Correlation Directives from AlienVault Labs
How to write your own correlation directives based on events from
one or more sources
How to turn correlation information into actionable alarms
How to use correlations to enforce your security policies

3. Logical Correlation
New events are generated using the
information provided by detectors
and monitors.
Is configured using correlation
directives.
New events will have new priority
and reliability values.
Directives are defined through
logical trees, in which the horizontal
axis defines an OR operation and
the vertical one defines an AND
operation.
Correlation level 1
Correlation level 3
1
2a 2b
3b3a 3c 3d
Correlation level 2

4. Logical Correlation

5. Directives Examples
Configuration > Threat Intelligence > Directives

6. Alarms
Alarms are special events
that may depend on other
events.
Alarms require investigation
and remediation.
Analysis> Alarms
An overview of alarms per
type, frequency, and time.
A list of alarms.

7. Toggle search.
Specify search
filter.
Alarm intent.
Time
window.
Select
time
window
and
intent.
Search and Filter
Utilize search if
interested in specific
alarms.
Alternatively, click a blue
circle to see alarms with
a specific intent and
within a specific time
window.

8. Sort alarms.
Alarm with
OTX feed.
Click alarm to see
more information.
Alarm is still being
correlated.
Close or delete alarm
if false positive.
Alarms List
Pay attention to
alarms with OTX
data.
Sort alarms by risk
and examine the
high risk alarms
first.
Alarms that are still
being correlated
cannot be edited.

9. Examine
source(s) and
destination(s).
Directive
event.
Individual event that
triggered directive
event.
Click an event
to see details.
Read the
knowledge base.
Correlation
level.
Examine Alarm Details
Examine details
about the alarm.

10. Normalized
event
information.
SIEM information.
Read the
knowledge base.
Examine the
offending
packet.
Examine Event Details

11. Customizing correlation directives

12. Clone directive. Delete directive.
Edit directive.
Disable
directive.
Logical Correlation
Logical correlation uses correlation directives to detect attacks.
By default, AlienVault USM includes more than 2,100 built-in directives.
Users can customize existing directives or create custom ones.
Directives can be edited or created in the graphical editor or by editing XML
files.

13. Global Properties
Correlation Directives
<directive id="28012" name="AV Network attack, too many dropped
inbound packets from DST_IP" priority="2">
Name of the directive, which becomes the name of the generated
event/alert
ID of the directive:
• All correlation events have 1505 as plugin ID
• Event type ID is the ID of the directive
• Reserved range for user-defined directives (500,000-1,000,000)
Priority of the directive (impact of this attack in your network):
• All events generated within this directive will have priority set to the
global priority value of the correlation directive

14. Correlation Rules
Correlation Directives (Cont.)
Correlation directives are composed of multiple rules.
Rules define conditions to match incoming events.
When a condition is met:
• If this is the last level of the directive, then create a new event.
If there are further levels:
• Wait for more incoming events.
Add rule.
Clone rule.
Delete rule.
Change level
of a rule.

15. Correlation Process
Incoming events are matched by started directives first.
If the events do not match started directives, they will be matched against
all other directives.
Events can be correlated by several directives.
Attributes in a rule can be sticky or sticky different.
ServerServers
DST_ PORT STICKY
80
80
80
80
80
80
ServerServers
DST_ PORT STICKY DIFFERENT
22
23
25
53
80
443
Single
directive event.
Single
directive event.

16. Example: Denial of Service Attack
Create Custom Correlation Directive
Many connections from a single
host (with a bad reputation) may
indicate DoS attack attempt.
Firewall events (detector data
source) can be checked for
connections.
Monitor data source can be used to
verify if the service is still up after a
suspected attack.
Correlation level 1
Correlation level 2
Correlation level 3
Correlation level 4
1 ACCEPT event from the firewall
Port 139
Source: A
100 ACCEPT events from the firewall
Port 139
Source: A
1000 ACCEPT events from the
firewall
Port 139
Source: A
Is the service still up?

17. Configuration Tasks
Create Custom Correlation Directive (Cont.)
1. Create a new directive.
2. Create a correlation level 1 rule.
3. Create a subsequent correlation rule.
4. Repeat Task 3 until you configured all correlation rules.
5. Restart the server.

18. Specify
directive
properties.
Create new
Directive.
Task 1: Create New Directive
Create Custom Correlation Directive (Cont.)
Configuration > Threat Intelligence > Directives

19. Task 2: Create Correlation Level 1 Rule
Create Custom Correlation Directive (Cont.)
Specify rule
name and data
source plugin
and event type
ID(s).
Only detector
data sources can
be used in the
first correlation
level.

20. Task 2: Create Correlation Level 1 Rule (Cont.)
Create Custom Correlation Directive (Cont.)
Specify source
and destination IP
address(es).
Specify source
and destination
ports.
Optionally include
OTX data.
Select rule
reliability.

21. Set reliability as absolute
or relative value.
Inherit settings
from parent rule.
Add child rule.
Task 3: Create Correlation Level 2 Rule
Create Custom Correlation Directive (Cont.)
Process of
adding second
rule is similar to
adding the first
one.
Option to inherit
source and
destination IP
addresses and
ports from a
parent rule.

22. Task 3: Create Correlation Level 2 Rule (Cont.)
Create Custom Correlation Directive (Cont.)
Timeout and occurrence values have to be edited after adding the rule.
Click the value to edit it.

23. Task 4: Crate Correlation Level 3 Rule
Create Custom Correlation Directive (Cont.)
The process of adding level 3 rule is the same as when adding level 2 rule.
Increase reliability of an event when more occurrences are detected.

24. Task 5: Create Correlation Level 4 Rule
Create Custom Correlation Directive (Cont.)
Add monitor data source plugin to verify if the service is still up.
Other steps are the same as in the previous tasks.
Add child rule.
Inherit settings
from parent rule.

25. Task 5: Create Correlation Level 4 Rule (Cont.)
Create Custom Correlation Directive (Cont.)
Timeout and occurrence values have different meanings in monitor rules.
Click the value to edit it.

26. Task 6: Restart Server
Create Custom Correlation Directive (Cont.)
Changes are
applied by
restarting the
server.
Restarting the
server stops the
correlation
process.
Restart server.

27. Resulting XML File
Create Custom Correlation Directive (Cont.)
<directive id="500003" name="DoS attack to NetBIOS" priority="2">
<rule type="detector" name="Established connections" from="ANY" to=„10.177.76.249" port_from="ANY"
port_to="139" from_rep="true" from_rep_min_pri="3" from_rep_min_rel="3" reliability="0" occurrence="1"
plugin_id="1636" plugin_sid="106102">
<rules>
<rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY"
port_to="1:DST_PORT" reliability="+2" occurrence="100" time_out="30" plugin_id="1636"
plugin_sid="1:PLUGIN_SID">
<rules>
<rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP"
port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="1000" time_out="30" plugin_id="1636"
plugin_sid="1:PLUGIN_SID">
<rules>
<rule type="monitor" name="Service up" from="1:SRC_IP" to="1:DST_IP" port_from="ANY"
port_to="1:DST_PORT" reliability="+6" occurrence="1" time_out="1" plugin_id="2008" plugin_sid="2"/>
</rules>
</rule>
</rules>
</rule>
</rules>
</rule>
</directive>

28. Best Practices
Create Custom Correlation Directive (Cont.)
Directives should not always generate alarms
• Use reasonable priority and reliability values to ease incident
management
Use the existing directives to:
• Learn how directives are configured
• Adopt them to your environment and needs
Look for multiple types of events:
• Bad authentication types
• Discarded packets due to different violations

29. USM Sizing Examples
Multiple
locations with
less than 2500
EPS
Enterprise
deployment
• Many
locations
Logger
Single location
with less than
1000 EPS

30. Customer Sizing Examples
Single
location with
less than
1000 EPS
Multiple
locations with
less than
2500 EPS
Enterprise
deployment
• Many
locations
Logger

31. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Weekly Threat Intelligence update summaries are
posted in the AlienVault forum here
Hands-on 5-day training classes delivered in-
person or “live on-line”
• Email training@alienvault.com for more info
Subscribe to the AlienVault blogs for more info on
emerging threats and security best practices