A taxonomy improves the scope and stability of correlation rules. It also aids in pattern recognition. When events from heterogeneous sources are normalized, they can be analyzed by a smaller number of correlation rules. This reduces deployment time and labor cost. In addition, normalized events are easier to work with when developing reports and dashboards.
Using normalized events along with taxonomy categories is highly recommended in creating correlation rules. This makes the rules easier to modify, maintain and apply to additional log sources.
The SureLog Taxonomy [1] is SureLog SIEM’s system for classifying logs. This is our way of providing normalized data to the SureLog SIEM platform.
Thanks to the consistent nature of the SureLog Taxonomy, all information falls within a known number of categories and into a known list of objects. This allows us to fine-tune all of our algorithms across the board when the set of data is well-known. All searches, filters, indexes, correlations and algorithms can leverage the specific set of data, ensuring you can get the most out of your SIEM experience.
The SureLog Taxonomy is actually very simple, here how it works: You have a set of log data containing a number of fields (e.g. username, source IP, destination IP, last modified time, etc.) The problem is that you are one customer or partner and we have hundreds, all with variations of those logs (e.g. sourceipv4, source_ip4, srcipv4, src_ip_v4, source IP). The SureLog Taxonomy has one key for this: SourceMachine. The second part of SureLog Taxonomy is categorizing logs under the same group for the same event from all the log sources. For example, instead of the “big icmp packet” warning generated by the firewall, it is categorized “Ping of death attack” and also “big icmp packet” warning generated by the switch is also categorized as “Ping of death attack”.
This ensures that we are able to categorize and store all data consistently to be analyzed on a common plane with all other systems.
At SureLog, we have a team that manages the common taxonomy, provides normalization rules and uses of logs on top of the normalized logs.
With the ability to translates all log types into a single taxonomy, SureLog provides immediate time-to-value in the application of SIEM, enabling our customers to build, manage and effectively transform their businesses through a unified cybersecurity solution
Taxonomy or event categorization is common in SIEM solution. The question is how strong, deep and powerful is your SIEM’s taxonomy capability?
SureLog ensures single taxonomy for normalization of log data, enabling an easy-to-use search function for the creation of dashboards, alerts and reports. By translating all log files into a simplified single taxonomy, searching across a wide variety of log sources is made easier and more efficient
The fact that SureLog has a common taxonomy provides some neat benefits:
• Taxonomy provides us consistency.
• Analysts, i.e. people working with data in SureLog, can work in terms of the SureLog taxonomy. So, when setting up dashboards, performing ad hoc searches or other activities, the analyst doesn’t have to know the exact format of logs for each device: Just the SureLog taxonomy!
• The common taxonomy allows customers to directly benefit from the R&D SureLog is putting into understanding the various log formats and producing dashboards, alerts, reports and so on.
• SureLog is in the SIEM domain – our world is server logs, security events, incidents and so on. How many ways do you really want to represent this kind of information? Why not standardize? After all, SureLog doesn’t ingest logs about what color schemes are trending on the web.
• SureLog network activity mapping is based on SureLog Taxonomy [3,4,5]
SureLog Taxonomy
References
1. https://surelog.medium.com/surelog-siem-taxonomy-f574e5407bce
2. https://www.linkedin.com/pulse/why-taxonomy-important-extensive-surelog-siem-features-ertugrul-akbas/
3. https://anet-canada.ca/2019/06/21/the-true-power-of-surelog-taxonomy/
4. https://drertugrulakbas.medium.com/siem-taxonomy-makes-raw-data-human-understandable-eb8cdfb033a4