killchain-compendium/Miscellaneous/Threat Intelligence/SIEM.md

941 B

Security Information and Event Management (SIEM)

Collection of data as events on information systems in order to correlate through rulesets. Network devices and connected endpoints generate events, both are of interest in SIEM. This is done to reduce threats and to improve security posture.

Workflow

  • Threat detection

    • Investigation
    • Alerting and Reporting
    • Visibility
    • Time to respond
  • Basic SIEM monitoring is done through the following stages

    • Log collection
    • Normalization
    • Security incident detection
    • Assess true or false events
    • Notifications and alerts
    • Further threat response workflow

Sources of Interest

Linux provides multiple security related logs under /var/log as well as processes under /proc This includes the services, access, system and kernel logs as well as the scheduled cron jobs.