killchain-compendium/Miscellaneous/Threat Intelligence/SIEM.md

31 lines
941 B
Markdown
Raw Normal View History

2022-11-13 16:00:22 +01:00
# Security Information and Event Management (SIEM)
Collection of data as events on information systems in order to correlate through rulesets.
Network devices and connected endpoints generate events, both are of interest in SIEM.
This is done to reduce threats and to improve security posture.
* [Varonis](https://www.varonis.com/blog/what-is-siem/)
## Workflow
* Threat detection
* Investigation
* Alerting and Reporting
* Visibility
* Time to respond
* Basic SIEM monitoring is done through the following stages
* Log collection
* Normalization
* Security incident detection
* Assess true or false events
* Notifications and alerts
* Further threat response workflow
## Sources of Interest
Linux provides multiple security related logs under ` /var/log ` as well as processes under ` /proc `
This includes the services, access, system and kernel logs as well as the scheduled cron jobs.