Академический Документы
Профессиональный Документы
Культура Документы
For customizing Correlation Directives or Cross Correlation rules, refer to Customizing Correlation
Directives or Cross Correlation Rules.
Note: Read the Life Cycle of a Log document to understand the full life cycle of logs, and to
learn where Correlation is performed in AlienVault USM.
About Correlation
What Is Correlation
Correlation is a process performed by the correlation engine on AlienVault USM Server. It identifies
potential security threats by detecting behavior patterns across different types of assets, which
produce disparate yet related events. Correlation links different events, turning data into more
useful information.
Correlation
Correlation typically associates multiple events, with the same or different event types, from the
same data source. A USM Sensor sends normalized events to a USM Server, where policy
evaluation and risk assessment occur, followed by correlation. The correlation engine connects
these events and applies correlation rules to generate new events with higher priority and/or
reliability values. When such an event is generated, as shown below, the event is re-injected into
the USM Server process as if it was coming from the USM Sensor. It is then subject to policy
evaluation and risk assessment as any other event, but with elevated parameter values. An alarm
will be generated if the calculated risk (asset value * priority value * reliability value / 25) is 1 or
above.
Cross Correlation
The second type of correlation performed by AlienVault USM is Cross Correlation. Cross
Correlation is used to modify the reliability of an Intrusion Detection System (IDS) event, which
subsequently affects the risk assessment of the event.
Cross Correlation is performed on events with destination IP address defined, and the system will
check if any vulnerability has been identified on that destination. The basic rule for Cross
Correlation is: if the IDS has discovered an attack to an IP address, and a related vulnerability has
been found on the same IP, the reliability of the IDS event will be increased to 10.
The figure below provides an example, where the AlienVault Vulnerability Scanner detected the “IIS
remote command execution” vulnerability on the server, and the AlienVault IDS detected an attack
exploiting that vulnerability on the same server.
USM Sensor
Cross-correlated
event
A server
The central part of the screen displays the USM built-in directives. Directives are grouped into
several categories that are explained in the following table:
AlienVault This category includes directives that are used AV Attacks, Successful OpenSSL
Attacks to detect various attacks against vulnerable HeartBeat attack
services and applications.
AlienVault This category includes directives that are used AV Bruteforce attack, SSH
BruteForce to detect brute force attacks on services that authentication attack against
require authentication. DST_IP (destination IP)
AlienVault This category includes directives that detect AV Service attack, successful
DoS Denial of Service (DoS) attacks on different denial of service against IIS web
applications and services. server on DST_IP (MS07-041)
AlienVault This category includes directives that are used AV Malware, botnet Koobface
Malware to detect malware. activity detected on SRC_IP
(source IP)
AlienVault This category includes directives that are used AV Network attack, too many
Network to detect network related anomalies and dropped inbound packets from
attacks. DST_IP
AlienVault This category includes directives that are used AV Policy violation, vulnerable
Policy to detect policy violations. Java version detected on SRC_IP
AlienVault This category includes directives that are used AV SCADA attack, Modbus
Scada to detect attacks on industrial supervisory scanning or fingerprinting against
control and data acquisition (SCADA) systems. DST_IP
AlienVault This category includes directives that are used AV Network scan, Nmap scan
Scan to detect scanning activities. against DST_IP
Global Properties
Each correlation directive has the following global properties:
ID: a unique identifier for the directive. It becomes the Event Type ID when a directive event
is created. The ID of a directive is not displayed in the web interface.
Name: a meaningful name for the directive. It becomes the name of the directive event or
the alarm.
Intent, Strategy, and Method: these properties identify what the correlation directive is
trying to detect. They help categorize directive events according to AlienVault USM
Taxonomy.
Priority: defines the impact of the detected attack and is used in risk calculation of a
directive event. All events generated by the directive will have their priority set to the priority
value of the directive.
Note: Prior to USM version 5.0, the Priority value of built-in directives can only be viewed or
modified after you have cloned the directive. This is changed in USM version 5.0 and above, where
you can see the Priority value below its name.
In the following example, the name of the directive is AV Bruteforce Attack, SSH service
authentication attack against DST_IP. The intent of the directive is Delivery & Attack, the
strategy is Bruteforce Authentication, the method is SSH, and the Priority value is 4.
Correlation Rules
You can expand a directive to see its rule(s). A rule defines a condition to match incoming events.
Refer to How Does Correlation Work for details.
Each rule is defined by multiple rule attributes. The main attributes are:
Name: name of the rule. Each rule has its own name within the directive, and they can be
the same.
Reliability: the reliability value of an event generated based on this rule. It can be an
absolute value from 0 to 10, or a relative value (incremental to the reliability value in the
previous rule). Reliability is used for risk calculation during risk assessment.
Timeout: the waiting time (in seconds) before the rule expires and the correlation process
using that rule stops. Note that the timeout value for the first rule is always None, indicating
the value cannot be set.
Occurrence: number of time(s) an event has to occur in order for the rule to match
From: source IP and port(s) of the events that the rule is trying to match.
To: destination IP and port(s) of the events that the rule is trying to match.
Data Source: data source name and ID of the events that the rule is trying to match.
Event Type: event type ID (SID) of the events that the rule is trying to match. When there
are multiple SIDs specified, the rule will try to match any of them.
The figure below shows one of the built-in directives, AV Network attack, too many dropped
inbound packets from DST_IP, which detects network attacks by observing dropped packets from
any source IP address to a specific destination IP address on the Cisco PIX firewall. There are
three correlation levels (denoted by the black triangles) and four rules (all named Firewall dropped
packets) for this directive. The relationship of the rules is shown via the indentation. Indented rules
have AND relationship while parallel rules have OR relationship. The first rule of the directive is
matched when a single ‘Deny inbound (No xlate) string’ event (SID 106011) is identified by the
cisco-pix data source plugin. And, if three more such events occurred within 10 seconds toward the
same destination, the reliability of the directive event will increase to 4. And, if 5 more such events
occurred within 20 seconds toward the same destination, the reliability of the directive event will
There are some additional attributes you can use in a correlation rule. If set, together with From,
To, Data Source and Event Type, they serve as filters to narrow down the events that the rule is
trying to match. You can examine these additional attributes by clicking the More button. For the
majority of the built-in directives, additional attributes are not set.
You can also customize the display of the attributes that are shown in the rules section of a
directive. Click the […] next to the Event Type column. A window will open where you can select
which attributes are displayed in a rule. Add an attribute by clicking the + sign, or remove an
attribute by clicking the – sign. Click SAVE when done or CANCEL to discard changes.
You can change the default values of these properties by clicking the EDIT button, choose Yes or
No for each property, then click SAVE. You can also clear all properties by clicking the REMOVE
button.
The next three columns, ISO 27001, PCI DSS 2.0, and PCI DSS 3.0, display compliance
information about the directive, if mapped. This information is then used in the USM reports.
Compliance information of a built-in directive cannot be changed. The following figure displays an
example of a directive that has PCI DSS compliance information.
The rest of the page displays the built-in Cross Correlation rules in AlienVault USM, with each line
representing one rule. The four columns: Data Source Name, Event Type, REF Name and REF