Marko Jahnke<p>In the early 2000s, <a href="https://bonn.social/tags/SvenHenkel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SvenHenkel</span></a> and myself developed an <a href="https://bonn.social/tags/IDMEF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDMEF</span></a>/ <a href="https://bonn.social/tags/IDXP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDXP</span></a> compliant security event message pipelining framework for collecting and consolidating log messages, e.g., from network <a href="https://bonn.social/tags/IDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IDS</span></a>, and <a href="https://bonn.social/tags/EDR" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EDR</span></a> products. </p><p>In the messages stream, we were able to match multi-stage <a href="https://bonn.social/tags/correlation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>correlation</span></a> <a href="https://bonn.social/tags/DetectionRules" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DetectionRules</span></a> in near real-time (in-memory), before everything was stored in a central database. Structural graph-based <a href="https://bonn.social/tags/AnomalyDetection" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AnomalyDetection</span></a> was developed later by some colleagues.</p><p>We called it <a href="https://bonn.social/tags/MetaIDS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MetaIDS</span></a>.</p>