How to Create SIEM Correlation Rules

siem correlation rules

How to Create SIEM Correlation Rules

SIEM (Security Information and Event Management) systems play a crucial role in modern cybersecurity frameworks. They collate log and event data from an array of sources within an organization’s network, facilitating real-time analysis and long-term storage of this crucial information to uphold security standards. A core component of SIEM’s effectiveness lies in its correlation rules, which are designed to detect specific patterns or anomalies that might indicate a security issue.

Understanding SIEM Correlation Rules

SIEM correlation rules are structured criteria or logic sets that help in identifying, notifying, and even mitigating potential security threats in real-time. By defining specific conditions or sequences of events, these rules allow the SIEM to filter out the noise, bringing attention to genuine issues that require action.

The anatomy of a correlation rule typically includes fields such as name, severity, description, solution, category, tactic, reference, frequency, and operators among others. These fields help in specifying the rule, determining its operation, and categorizing the alert for better incident management.

Crafting Correlation Rules

UTMStack is one of the platforms where you can seamlessly create and manage SIEM correlation rules. Let’s break down the process using UTMStack as an exemplar:

  1. Identify the Threat Scenario: Before you dive into rule creation, have a clear understanding of the threat scenario you aim to address. This involves recognizing the indicators of compromise (IoC) and the log data that would be relevant to detect such activities.
  2. Access Rule Configuration Section:
    • Navigate to the correlation rules configuration section within UTMStack.
    • Click on “Add Rule” to initiate a new rule creation.
  3. Fill in the Basic Information:
    • Name: Assign a name that reflects the rule’s intent.
    • Severity: Choose the severity level (Low, Medium, High) based on the potential impact.
    • Description: Provide a concise description of the rule.
    • (And so forth, based on the field references provided)
  4. Define the Logic:
    • Utilize the operators (==, ::, !=, <>, and others) to craft the logic for the rule.
    • Specify the fields and values that should be analyzed, and the conditions that should trigger an alert.
  5. Configure the Cache or Search Parameters:
    • Determine whether to use cache or search based on the analysis period and complexity of the rule.
    • Fill in the necessary sub-fields like minCount, timeLapse, and save to define how the rule should operate and what information should be retained for further analysis or next cycle iteration.
  6. Save and Test the Rule:
    • Save the rule and run some tests to ensure it operates as expected, tweaking as necessary for optimization.
  7. Documentation and Reference:
    • Document the rule, the threat scenario it addresses, and provide references for further information.
    • It’s advisable to link to recognized security frameworks or advisories (e.g., MITRE ATT&CK).


Below are examples of SIEM correlation rules crafted in UTMStack to monitor Windows authentication failures, which could be indicative of brute force attacks. These examples illustrate the use of both cache and search methods in rule configuration, showcasing the flexibility and power of UTMStack in creating effective SIEM correlation rules.

  • Rule Using Cache Method:

  • Rule Using Search Method:

These examples elucidate how SIEM correlation rules are structured and executed within UTMStack, demonstrating the process of tailoring rules to address specific threat scenarios.

In conclusion, mastering SIEM correlation rules is pivotal for enhancing the security posture of organizations. Through platforms like UTMStack, security professionals can create robust rules that are instrumental in real-time threat detection and response, thus fortifying the organization’s defense mechanisms against a myriad of cyber threats.

Next Steps

To access a complete guide please refer to the UTMStack documentation. 

Share this post