Cybersecurity data comes in from many different sources. Identifying security events is dependent on bringing all these data sources together and relating one piece of data to another. Creating a common format and putting the data into this format is vital for the identification of threats. Once this has been done, data points can be linked to each other, which helps to maintain the data's integrity and reduce duplication. This process is called data normalization.

Cybersecurity operators must be able to normalize data to identify attacks and conduct investigations.

The following topics will be covered in this chapter:

• Creating commonality
• Using the IP 5-tuple
• Pinpointing threats and victims