Building a Detection Foundation: Part 5 – Correlation in Practice

Source: TrustedSec

Author: Carlos Perez

URL: https://trustedsec.com/blog/building-a-detection-foundation-part-5-correlation-in-practice

ONE SENTENCE SUMMARY:

Series shifts from logging sources to practical detections using Windows Security events, PowerShell logging, and Sysmon telemetry together for visibility.

MAIN POINTS:

1. Focus transitions from collecting telemetry to building actionable detections.
2. Windows Security events support logon tracking and authentication activity analysis.
3. Process execution auditing helps identify suspicious program launches and lineage.
4. PowerShell logging improves visibility into script content and execution behaviors.
5. Sysmon augments Windows logging with richer host and network telemetry.
6. Network event collection enables monitoring of outbound connections and suspicious destinations.
7. Combining multiple data sources strengthens context for investigation and detection fidelity.
8. Proper event selection reduces noise while preserving high-value security signals.
9. Centralizing logs facilitates correlation across accounts, processes, scripts, and network activity.
10. Detection engineering builds on consistent, well-instrumented logging configurations.

TAKEAWAYS:

1. Effective detections start with reliable, well-scoped data collection.
2. Authentication and process events provide foundational signals for endpoint monitoring.
3. Script telemetry is critical for observing PowerShell-based tradecraft.
4. Sysmon can fill visibility gaps left by default Windows event logging.
5. Correlating diverse logs improves confidence and reduces false positives.