Up
Previous Next

Sheriff CSMâ„¢

Cross-Correlation Rules

The correlation engine uses cross-correlation rules to connect NIDS events and vulnerabilities discovered by the Sheriff Vulnerability Scanner.

Sheriff CSM provides a web interface, Configuration > Threat Intelligence > Cross Correlation for you to examine, modify, and create cross-correlation rules.

Cross Correlation window from Threat Intelligence.

At the bottom of the page, you can navigate to the next pages to see more rules. You can also use the search icon to display the search box, and then search by Data Source Name, Event Type, Ref Name, and Ref SID Name.

Quick Search box for cross-correlation rules.

To view a cross-correlation rule, do one of the following

  • Double-click the rule.
  • Highlight the rule and click Modify.

For example, the following cross-correlation rule ties a Sheriff NIDS login failed event (for the "sa" account on a Microsoft SQL Server), to when the account has a blank password. The correlated event created in this case would indicate that someone tries to log in to the system using a password, while the system itself has been configured without a password.

Modify Cross Correlation options.

This topic: Sheriff > UserGuides > SheriffCSMDocumentation > UserGuide > EventCorrelation > CrossCorrelation > CrossCorrelationRules
Topic revision: 05 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.