Main
It is the first stage for create a rule correlation.
Identification
ID: Each rule is automatically identified by an ID, which is generated according to the prefix set during the MSP configuration.
Language: The system allows versions in different languages within the same profile, providing a customized consultation according to the user's language preference.
Name: Serves for the direct identification of the rule.
Attack: Defines the attack vector that the rule aims to prevent or mitigate.
The name and attack fields are essential for integration with systems like ChatGPT, facilitating the automatic filling of playbooks and rule details.
Data Source
Data Source: Identifies the data source of the selected correlation rule.
Event Type: There are two main types of events in information security:
Security Intelligence Events: Associated with data sources that have security intelligence (e.g., endpoint protection or application firewalls) and are usually linked to specific threats. These do not require complex correlation rules for anomaly identification.
Non-Security Intelligence Events: Related to data sources without security intelligence (e.g., operating systems), which require more complex correlation rules. In these cases, the analyst must create custom event types for these data sources.
Integration
It is possible to prepare the rule for one or more monitoring solutions. The selection of vendors directly impacts the listing of relationships and grouping rules (grouping rules).
Relations
This functionality provides the system with information about which SIEM rule relates to the correlation rule. This allows for more efficient management and an integrated view of security policies.
Last updated
