From ce0d5133540883a24269da6ccabfe7ec132dff25 Mon Sep 17 00:00:00 2001
From: whx <stefan@stefan.works>
Date: Fri, 4 Nov 2022 01:25:18 +0100
Subject: [PATCH] SIEM changes

---
 misc/threat_intelligence/siem.md | 36 +++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/misc/threat_intelligence/siem.md b/misc/threat_intelligence/siem.md
index 155954f..3f6583e 100644
--- a/misc/threat_intelligence/siem.md
+++ b/misc/threat_intelligence/siem.md
@@ -1,18 +1,30 @@
 # Security Information and Event Management (SIEM)
 
+Collection of data as events on information systems in order to correlate through rulesets.
+Network devices and connected endpoints generate events, both are of interest in SIEM.
+This is done to reduce threats and to improve security posture.  
+
 * [Varonis](https://www.varonis.com/blog/what-is-siem/)
 
-    * Threat detection
-        * Investigation
-        * Time to respond
-        * Some other SIEM features:
-    * Basic security monitoring
-        * Advanced threat detection
-        * Forensics & incident response
-        * Log collection
-        * Normalization
-        * Notifications and alerts
-        * Security incident detection
-        * Threat response workflow
+
+## Workflow
+
+* Threat detection
+    * Investigation
+    * Alerting and Reporting
+    * Visibility
+    * Time to respond
+
+* Basic SIEM monitoring is done through the following stages
+    * Log collection
+    * Normalization
+    * Security incident detection 
+    * Assess true or false events
+    * Notifications and alerts
+    * Further threat response workflow
 
 
+## Sources of Interest
+
+Linux provides multiple security related logs under ` /var/log ` as well as processes under ` /proc `
+This includes the services, access, system and kernel logs as well as the scheduled cron jobs.