What is a simple and effective way to correlate events?
- different TCP destination ports
- different TCP source ports
- same alert timestamp
- same alert severity level
- same IP 5-tuple
| Explanation & Hint:
The simple and effective way to correlate events among the options provided would be:
The IP 5-tuple consists of source IP address, destination IP address, source port number, destination port number, and the protocol in use (such as TCP or UDP). This combination is unique to a specific session or flow of packets between two endpoints, which makes it a strong indicator for correlating network events. By comparing the 5-tuple across different network flows, one can identify and correlate events that are part of the same communication session. |