SureLog Rule As a Code  streaming platform detection capability is more than traditional SIEM correlation engine. SureLog is real-time security analytics platform that ingests, normalizes, enriches, triages, and manages application and security data at scale.
Let’s look at a chain of suspicious events. A user clicks on a phishing email, then visits a website and downloads a malicious file. The user then executes a file and installs malware, which leads to some lateral movement and CNC traffic.
SureLog SIEM streaming platform keeps track of the state of the entity and the relationships between them. Think of the SureLog Profiler Engine  as an analytical machine that sits on top of a standard rules engine and is constantly evaluating alerts against the entity as they come through.
Additionally, traditional SIEM correlations are not good at holding state for long periods of time. SureLog multidimensional relationship management mechanism and smart list mechanism solves this traditional SIEMs drawbacks.
Also SureLog streaming correlation engine has the capability to develop advanced boolean logic statements to correlate between data sources. If there are rules for the data source, SureLog automatically correlates between disparate data sources .
There are many standard use cases like:
• Detect SSHD authentication on Linux
• Successful authentication after brute force
• Repeated login failure
• MySQL Authentication bypass through a zero-length password
• Account deletion after DoS attack
• Attempts to compromise user credentials
• Self escalation
• Short-lived accounts
• Instances of Denial of Service such as abnormal number of requests from multiple ports or the same IP address
Those standard use cases supported by most of the SIEM solutions.
There are some advanced use cases (rules) like:
• Warn if Powershell command with base64 format and more than 100 characters appears
• Password changes for the same user more than 3 within 30 days
• If there are more than 10 DNS requests within 5 minutes which have the same domain but different subdomains, notify. Example: xxx.domian.com , yyy.domian.com
• Misuse of an account
• Lateral movement
Some SIEM solutions support some of those use cases. But not all of them. SureLog supports all of those kind of use cases.
There are use cases specific to next-gen SIEM solutions like:
• Returns days where a user accessed more than his 95th percentile number of assets
• Look for a user whose http to dns protocol ratio is %300 more than %95 of the other users for the last four-week ratio for 4th day of week ,,
• If a user number of failed authentication ratio to number of successful authentication is %10, alert
• Data loss detection by monitoring all endpoints for an abnormal volume of data egress
All those next-gen use cases detected by SureLog SIEM.
Besides those next-gen use cases, SureLog uses supervised machine learning [7,8] to detect
• Suspicious/Malicious Processes
• Suspicious/Malicious Files
• Suspicious/Malicious services
Also SureLog measures the similarity between well-known process names with the running ones using Levenshtein distance in real-time and detect process masquerade .
DGA detection using entropy is another next-gen SIEM feature of SureLog .
Real-time detection is critical for SIEM. Use cases such as unauthorized changes to configs or deletion of audit trails are very crucial. These should be escalated immediately to stop the damage and minimize further risks. All SureLog detections are in real time.