Automation of information security incident detection using custom correlation rules in a SIEM system

The article examines an applied approach to improving the effectiveness of information security incident detection in database management systems using PostgreSQL as a case study and the industrial security information and event management system MaxPatrol SIEM. The relevance of the problem is substantiated in the context of increasing attack complexity and growing volumes of logged data, which complicate the identification of significant events and the formation of a coherent incident context. The methodology for assessing information security threats developed by the Federal Service for Technical and Export Control of Russia (FSTEC) is used as a methodological basis, making it possible to correlate observable log features with threat implementation techniques. The study includes a two-stage selection of relevant threat techniques, an analysis of the correspondence between built-in MaxPatrol SIEM correlation rules and the selected attack scenarios, and the identification of detection gaps. It is shown that the default rule set provides limited coverage of techniques and is mainly focused on administrative operations and typical authentication scenarios. To address the identified gaps, a set of custom correlation rules was developed, implementing detection based on characteristic SQL constructs, sequences of execution errors, and access to sensitive objects. The developed rules were validated and successfully deployed, resulting in full coverage of the selected threat techniques without changes to logging configuration or the use of external analytical modules. The obtained results confirm the practical applicability of the proposed approach for maintaining SIEM solutions and adapting them to specific event sources.