One-stop answer is a co-relation. You may have noticed the word “Co-Relation” Yes, for the question How the SIEM works, But not that alone of course.
Basically, a SIEM tool collects logs from devices present in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets. With the collected data(mainly logs, packets), the tool provides an insight into the happenings of the network.
It provides data for each event occurring in the network and thus acts as a complete centralized security monitoring system.
In addition to this, the SIEM tool can be configured to detect a specific incident. For example, a user is trying to log in to an AD server. For the first 3 times the authentication failed and the 4th time it succeeded. Now, this is an incident to look upon.
There are many possibilities. Maybe a person is trying to guess the password of another user and got it right, which is a breach. Or maybe if the user forgot his password but got it right at the end and so on. This is where co-relation comes in.
For such a case, a co-relation rule can be made in such a way that, If an authentication failure event is happening 3 times consecutively followed by success in a specific time period, then alert pops up.
This can be further investigated further by analyzing the logs from the respective machines. So my definition of co-relation is: “ It is the rule which aggregates events into an incident which is defined by specific application or scenario.”