9. What kind of rule we write in SIEM
• In SIEM we write correlation rules
• For e.g.: Suppose: X is Event 1
Y is Event 2
Then we write rules like:
Rule 1: If X is generated after Y within 2 minutes then generate SIEM alert Z
Rule 2: If X is generated 10 times within 1 minutes then generate SIEM alert B
10. How we write a rule ?
We try to understand the pattern of different attacks and then try to convert it into rules