SIEM changes

misc/threat_intelligence/siem.md

@@ -1,18 +1,30 @@
 # Security Information and Event Management (SIEM)
 
+Collection of data as events on information systems in order to correlate through rulesets.
+Network devices and connected endpoints generate events, both are of interest in SIEM.
+This is done to reduce threats and to improve security posture.  
+
 * [Varonis](https://www.varonis.com/blog/what-is-siem/)
 
-    * Threat detection
-        * Investigation
-        * Time to respond
-        * Some other SIEM features:
-    * Basic security monitoring
-        * Advanced threat detection
-        * Forensics & incident response
-        * Log collection
-        * Normalization
-        * Notifications and alerts
-        * Security incident detection
-        * Threat response workflow
+
+## Workflow
+
+* Threat detection
+    * Investigation
+    * Alerting and Reporting
+    * Visibility
+    * Time to respond
+
+* Basic SIEM monitoring is done through the following stages
+    * Log collection
+    * Normalization
+    * Security incident detection 
+    * Assess true or false events
+    * Notifications and alerts
+    * Further threat response workflow
 
 
+## Sources of Interest
+
+Linux provides multiple security related logs under ` /var/log ` as well as processes under ` /proc `
+This includes the services, access, system and kernel logs as well as the scheduled cron jobs.