Describe 5-tuple correlation

Implementing Cisco Cybersecurity Operations (210-255)

Describe the 5-tuple approach to isolate a compromised host in a grouped set of logs

Implementing Cisco Cybersecurity Operations (210-255)

As noted in the discussion of Netflow, the 5-tuple consists of the Protocol, Source IP, Source Port, Destination IP, and Destination Port. When doing a correlation, the 5-tuple can be used to connect logs from various sources. For example, logs from a firewall, IPS and Netflow data could be combined to give a better view of what the host in an alert was doing.

The 5-tuple also allows an analyst to focus on a certain host for closer examination. In this way, data collected about a compromised host can be narrowed to the important information increasing the signal to noise ratio.