For all the log data acquired, iknoplex generates a normalized view that is irrespective of the original log structure. This approach allows building custom models for analysis which are durable as they are independent of the type of log loaded in the data warehouse.

The model is structured around seven key correlation dimensions:

Time
When did the event occur?

This dimension describes the precise moment or period in which the individual event occurred and how it relates to other business-relevant time categories: working shifts, vacation and holidays, seasons, night shifts, etc.

Event Type
What type of event occurred? Was it successful?

iknoplex LM labels all security events with standard categories out of a large taxonomy that covers all event occurrences within the security and audit domain.

User
Who caused the event? Who is it and what role did he/she have when the event occurred? With what privileges has he/she been operating? To which organizational unit did he/she belong? To whom does he/she report?

In iknoplex LM the user represents a link to the organization attributes with which you can correlate the event in terms of role, function, department, supervisor, company, geographical location, etc. The information used to enrich the original data is retrieved from directory servers, identity and HR management systems.

Platform   
Which system generated the event? To which organization unit, service line, etc. did it belong?

This dimension represents the appliance, systems, middleware or application that generated the event. As with other dimensions, the entity is described with user-defined organizational/business attributes that may be retrieved from asset management systems.

Object
Which resource has been affected by the event? To which business area does it belong?

Each event involves a person (user) and an object: file, database, table, transaction system, etc. As for "Platform", this dimension can also be derived from snapshot data of asset management, risk management systems, etc.

Origin
What’s the origin of the activity that gave rise to the event? From what workstation did the user operate?

A particular event can originate from within a system or can be caused by a remote system. In the second case, this dimension provides information on the external system (such as user location or IP address) that originated the event.

Target
What remote system is affected by the event?

This dimension is typically used along with "Origin" to describe events generated by interconnection devices (such as Firewall), where the target is, e.g., the remote system that participates in a network connection.