2021-08-23 01:13:54 +02:00
|
|
|
# Security Information and Event Management (SIEM)
|
|
|
|
|
|
2022-11-04 01:25:18 +01:00
|
|
|
Collection of data as events on information systems in order to correlate through rulesets.
|
|
|
|
|
Network devices and connected endpoints generate events, both are of interest in SIEM.
|
|
|
|
|
This is done to reduce threats and to improve security posture.
|
|
|
|
|
|
2021-08-23 01:13:54 +02:00
|
|
|
* [Varonis](https://www.varonis.com/blog/what-is-siem/)
|
|
|
|
|
|
|
|
|
|
|
2022-11-04 01:25:18 +01:00
|
|
|
## Workflow
|
|
|
|
|
|
|
|
|
|
* Threat detection
|
|
|
|
|
* Investigation
|
|
|
|
|
* Alerting and Reporting
|
|
|
|
|
* Visibility
|
|
|
|
|
* Time to respond
|
|
|
|
|
|
|
|
|
|
* Basic SIEM monitoring is done through the following stages
|
|
|
|
|
* Log collection
|
|
|
|
|
* Normalization
|
|
|
|
|
* Security incident detection
|
|
|
|
|
* Assess true or false events
|
|
|
|
|
* Notifications and alerts
|
|
|
|
|
* Further threat response workflow
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Sources of Interest
|
2021-08-23 01:13:54 +02:00
|
|
|
|
2022-11-04 01:25:18 +01:00
|
|
|
Linux provides multiple security related logs under ` /var/log ` as well as processes under ` /proc `
|
|
|
|
|
This includes the services, access, system and kernel logs as well as the scheduled cron jobs.
|
