This probably doesn’t come as a surprise. One of the major complaints of SIEM customers is that correlation rules are a pain.
Why? Because when organizations rely on correlation rules for their threat detection, they must sort through the huge amounts of false positives that typically result from static correlation rules. Or, they risk missing important security incidents because they have so many false negatives. In the end, correlation rules always require a lot of maintenance to keep up-to-date.
With the Exabeam platform, the majority of threat detection is handled through behavioral analysis. For most security scenarios, we recommend transitioning threat detection to a behavioral modeling-based approach; however, correlation rules are actually useful in specific use cases, including these:
- Existing high-value rules – Perhaps there are several custom correlation rules being used by your SOC that are providing real value, because they’re able to detect incidents and don’t require maintenance. If that’s the case, you’ve struck correlation-rule gold—by all means keep these and don’t fix what’s not broken.
- Non-compliance reporting – Rules that provide alerts for compliance-specific requirements are still valuable. For example, perhaps there is a requirement that a specific security control is in place; a correlation rule that triggers an alert if that security control is deactivated will make it easier to prove compliance.
With the latest version of Exabeam Data Lake, our rule-building wizard makes it quick and easy to build compliance rules that support your security initiatives. In developing Data Lake, we analyzed the correlation rules used by hundreds of companies and found that almost all fall into a few specific categories.
Figure 1 – Rule templates in our correlation rule builder
We took a natural language approach for each category, where all you need to do is build an English language sentence (by simply filling in the blanks), which describes what you want the rule to find. With it, even junior members of your team can build effective correlation rules.
Here’s how to use the rule builder to create a correlation rule:
- Select the type of rule you want to build from the wizard.
(In this example, we’ll walk through making a frequency rule.)
- Build your rule from a search.
This search can be an entirely new search, or one you previously saved to your search library. Once you’ve created a search, or found the appropriate saved search, click Create Rule.
- Fill in the blanks
The rule builder creates a template for constructing your rule. Templates use a “Mad Libs”-style, fill-in-the-blanks approach—auto-populating the values so you can quickly complete the rule.
Simply select the desired values as shown next.
Alternatively, you can build your rule from a completed example Exabeam provides. To do so, click Choose from Examples at the bottom of the page to browse our library.
The template library offers dozens of rule examples that you can use as a framework to build your own rules. As we show next, simply edit the values to be applicable to the rule you’re creating.
- Select a Rule Outcome.
Finally, determine what should happen when the rule is triggered. Here are a few of the available options:
- Add a log back into Data Lake for use in a compliance reporting.
- Add risk to the users and entities involved in our UEBA product.
- Create an incident in the Exabeam case management tool.
- Send direct emails to stakeholders or a Syslog to third-party tools.
Enable All of Your Analysts—Even Junior Ones
Seasoned vets may prefer to do things the old-fashioned way (which they can still do with the Exabeam platform)—but the Exabeam natural language rule-building wizard makes it possible for even junior analysts to create complex rules.
This means your team can create better rules, faster.