5/5 - (1 vote)

Now let’s look at the correlation rules themselves through the eyes of the customer. He wants to receive quality rules from the supplier and to activate them without problems in his SIEM. In fact, not everything is so simple.

For the rules to work, you need to connect the required sources to SIEM. They must be configured to generate the necessary events for the rules. Looking at the rule itself, it is important to understand the logic of its work. In addition, the customer needs to understand how to react if the rule works.

Correlation rules alone are not enough to be called expertise. Examination is the correlation rules, together with an additional environment, all of whose elements are interconnected and can be arranged in a closed circuit – the so-called closed-loop examination.

Closed loop expertise

Let’s consider each link in this chain:

  1. Supplier / Manufacturer of SIEM. The examination begins with the fact that a supplier with the relevant competencies develops correlation rules according to the technological process.
  2. List and source of settings. The developed correlation rules are supplied with a description of those sources on the basis of which they work. The provider also describes in detail how the source should be configured and provides information about the generation of the required event types. It will be good form if the supplier submits an instance of the events themselves.
  3. Description of the rule logic. In order for the customer to understand what triggering principles are laid down in the correlation rules, the supplier describes the logic of each rule in the form of flow diagrams or text descriptions.
  4. Correlation rules. The correlation rules themselves and the method of prioritizing the incidents generated by them are directly.
  5. Response plans. A correlation rule triggering can be an information security incident. It is important for the customer to understand how to respond to this incident in order to minimize its impact on the infrastructure. Also, in the plan should be included explanations regarding which data should be additionally collected in case of an incident. Undoubtedly, the customer must adapt the response rules to the specifics of his company. However, as part of the response plans, the supplier should reflect general recommendations on the user’s actions in the event of an incident caused by a specific rule. So the customer will have something to push from, adapting the overall response process for himself.
  6. Correlation rules dont work in a spherical vacuum, but in the specific conditions of the customer’s company. The supplier is responsible for the quality of the rules provided and must understand how they work. Therefore, statistics on the operation of rules should be collected in SIEM.
  7. Supplier / Manufacturer SIEM. The collected telemetry in anonymized form should be sent back to the supplier. Statistics helps him quickly make changes to the rules, in case of false positives. It also allows you to identify new techniques and tactics of attacks and promptly release new correlation rules for their detection.

The set of requirements for the supplier, as well as all the above chain links, are collectively called expertise. As you can see, the chain is closed, therefore this approach is designated as “closed-loop expertise”.

Nowadays, this approach is used by the main foreign leaders of the SIEM market: IBM QRadar, Micro focus ArcSight. An interesting vendor-independent project is developing within the community – Atomic Threat Coverage, promoting a similar ideology. Next, I’ll give a description of it, taken from the project page.


Atomic Threat Coverage allows you to automatically generate an analytical database designed to counter the threats described in MITER ATT & CK from the perspective of Detection, Response, Prevention and Simulation of threats. It includes:

  • Detection Rules – Sigma-based Detection Rules (correlation), a general format for describing correlation rules for SIEM systems.
  • Data Needed – data that must be collected to detect a specific threat.
  • Logging Policies – logging settings that must be made on the device to collect the data necessary to detect a specific threat.
  • Enrichments – Data Needed settings needed to implement some of the Detection Rules.
  • Triggers – attack simulation scripts based on the Atomic Red Team – atomic tests / threat implementation scenarios from MITER ATT & CK.
  • Response Actions – atomic incident response steps.
  • Response Playbooks – incident response scenarios generated during the detection of a specific threat, based on Response Actions.
  • Hardening Policies – system settings that allow you to level a specific threat.
  • Mitigation Systems – systems and technologies that allow you to level a specific threat.

Separately, I note the moment, which often is outside the field of view of customers and suppliers. Sometimes complex incidents happen that cannot be solved by the customer’s specialists. The supplier should not leave the customer face to face with his problem: “We deliver you the rules, they work, the rest is not our problems.” In my opinion, serious suppliers of expertise should have incident investigation services in their portfolio, which the customer can use at any time 24/7 in case of a critical situation.

To summarize:

The customer who bought SIEM often doesn’t have the opportunity to allocate individual specialists to work with a solution of 100% of the working time. In this case, SIEM stops to be used after some time.

Correlation rules alone are not enough to ensure that actual security threats are identified. In this case, the rules of correlation alone cannot be called expertise. Examination – a set of correlation rules, expert knowledge and data that are minimally necessary for identifying and responding to incidents.

Examination should have the following properties:

  • accurately identifies violations in the specific infrastructure of the customer;
  • identifies current world-class threats, as well as specific to a particular country and industry customer;
  • has both a reactive and a proactive component;
  • explains to the customer the results of its logical conclusion;

Provides explanations on further steps to respond to an identified incident.

It is not enough to supply ready-made Sigma rules to be considered an expert supplier. The supplier of expertise must satisfy a number of requirements.

The delivered expertise consists of the following interconnected elements:

  • list and settings of sources;
  • rule logic descriptions;
  • correlation rules;
  • response plans;
  • telemetry for triggering rules.

Examination providers should have in their portfolio investigation services that the customer can use if he doesn’t have his own competencies to analyze a complex incident.