Computer security and threat detection are hugely important in modern enterprise computing networks. There are various produces in use that are designed to detect malicious user activities. For instance, SAP SE of Walldorf, Germany provides at least two different products that are designed to detect malicious user activities. These are SAP Fraud Management (FM) for detecting malicious business events (e.g. money transfer for personal advantage) and SAP Enterprise Threat Detection (ETD) for detecting unauthorized access (e.g. attacking system by changing authorization data to get access to sensitive data), or performing other activities that endanger the system availability, data integrity, system integrity, or confidentiality.
Such products run analyses on large amounts of data, and are designed to generate alerts in case certain pre-requisites are met. These pre-requisites could be entries from certain logs (e.g. role assignment in the user audit log), or crossing certain thresholds (e.g. for money transfers in a financial transaction). The logs of each of these products have a different structures, as well as differences between which fields (IDs, attributes, . . . ) are part of the log.
Each of these products, as is consistent with many related products, feature what is known as a normalized log structure, i.e., a common log structure that allows a common search across a number of different logs within a product. However, even with a normalized log structure, a combined search among and across the two different products is still not possible, given the different attributes the products use for their log structures. A combined search would combine search results from one product and look for events correlated to this search in other products.
Most attacks on computer security entail multiple attacks on a “chain” of vulnerabilities: i.e., sophisticated hackers look to combine a number of “smaller” computer or network vulnerabilities in a concerted effort to obtain unauthorized access. Each of these vulnerabilities might look quite harmless, but their combination can open the door to a severe attack. What is needed is a way to correlate events among multiple systems to improve the chances of detecting such a combined attack.