5 Real World Scenarios for Correlating Host and Network Events to Catch Violations and Intrusions

Webinar Registration

Operating system (aka host level) logs and network activity are both irreplaceable sources of security intelligence. You need both in your SIEM. But the real value comes when you can correlate events from both levels to see what you would never be able to recognize from the activity of either level alone.
In this technical, real training for free™ webinar we will explore the key correlation points for linking host and network events. We will look at how to use date/time, host names, IP addresses and authentication events to link host events to network events by user, program and computer. Then we will delve into 5 different real-world scenarios where you can detect insider violations or APT behavior by correlating host events with network activity.
  1. User touches sensitive files the same time they have a session open with a cloud sharing application (e.g. Dropbox)
  2. New unexpected process/service kicks off and then new traffic type seen from the same host
  3. Reconnaissance activity (port scan) followed by a new process running or new account creation on target host
  4. Session lasting over 48 hours and any concurrent reconnaissance activities from same host
  5. Abnormal file access followed by large data transfer
We will go into detail on all 5 of these scenarios showing you the actual events you’d be looking for on a typical network with Windows systems and common network components. But you can apply the same correlation logic to the systems and network products on your network.
Seth Goldhammer from our sponsor, LogRhythm, has helped me put these scenarios together and he will briefly demonstrate how LogRhythm’s conditioning of log data and analytical rules engine make it easy to recognize these scenarios when they occur.
Don’t miss this technical, real training for free™.
Please register now!
First Name:   
Last Name:   
Work Email:  
Job Title:

Your information will be shared with the sponsor.



Additional Resources