Correlation is a must for SIEM solutions. But, the detection capabilities of the SIEM products available are very different from each other. One of these differences is the operators that SIEM products support. Why are these operators important? The CVE-2020–1472 vulnerability in the Netlogon protocol, aka Zerologon, allows attackers to hijack Microsoft Domain Controller / Domain Servers. If we need to detect this attack, we need to correlate the following two events occurring at the same time:
- Event ID: 5805
- Type: System
A computer account was changed
- Event ID: 4742
- Type: Security
- Source User Name: Anonymous Logon
Where the computer account from the event 4742 equals to the device host name from the event 5805.
In this rule, we need the “at the same time” operator. If you do not have a product such as SureLog with this operator, this time you will have to apply circling methods to detect it. Also, in all cases, you may not be able to get around an operator. If your system generates alarms with automatic calls in certain periods, this rule will also require serious resources.
There are many operators that can be found in all SIEM products. Examples of operators not in every SIEM product: “After”, “Before”, “At the same time”.