31 lines
941 B
Markdown
31 lines
941 B
Markdown
|
# Security Information and Event Management (SIEM)
|
||
|
|
|
||
|
|
Collection of data as events on information systems in order to correlate through rulesets.
|
||
|
|
Network devices and connected endpoints generate events, both are of interest in SIEM.
|
||
|
|
This is done to reduce threats and to improve security posture.
|
||
|
|
|
||
|
|
* [Varonis](https://www.varonis.com/blog/what-is-siem/)
|
||
|
|
|
||
|
|
|
||
|
|
## Workflow
|
||
|
|
|
||
|
|
* Threat detection
|
||
|
|
* Investigation
|
||
|
|
* Alerting and Reporting
|
||
|
|
* Visibility
|
||
|
|
* Time to respond
|
||
|
|
|
||
|
|
* Basic SIEM monitoring is done through the following stages
|
||
|
|
* Log collection
|
||
|
|
* Normalization
|
||
|
|
* Security incident detection
|
||
|
|
* Assess true or false events
|
||
|
|
* Notifications and alerts
|
||
|
|
* Further threat response workflow
|
||
|
|
|
||
|
|
|
||
|
|
## Sources of Interest
|
||
|
|
|
||
|
|
Linux provides multiple security related logs under ` /var/log ` as well as processes under ` /proc `
|
||
|
|
This includes the services, access, system and kernel logs as well as the scheduled cron jobs.
|