Scribd
Upload
56 views3 pages

Understanding SIEM

SIEM is a security solution that collects and analyzes security events and other data sources to detect threats, ensure compliance, and manage security incidents. It functions by collecting logs from devices using agents or agentless collection, aggregating and parsing the logs into a standardized format, categorizing and enriching the events, setting correlation rules to trigger alerts, indexing the data for fast searching, and presenting the analyzed data through a centralized console.

Uploaded by

Rajendra Kumar K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
56 views3 pages

Understanding SIEM

SIEM is a security solution that collects and analyzes security events and other data sources to detect threats, ensure compliance, and manage security incidents. It functions by collecting logs from devices using agents or agentless collection, aggregating and parsing the logs into a standardized format, categorizing and enriching the events, setting correlation rules to trigger alerts, indexing the data for fast searching, and presenting the analyzed data through a centralized console.

Uploaded by

Rajendra Kumar K
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Understanding Security Information and Event Management (SIEM)

What is SIEM?
SIEM is a security solution that helps organizations recognize and address
potential security threats and vulnerabilities before they disrupt business
operations. SIEM supports threat detection, compliance and security incident
management through the collection and analysis of security events, as well as a
wide variety of other events and contextual data sources.

SIEM Functions

1) Collection

I. Agent Based
• Agent/Collector on each device collects, parses and forwards the logs.
• Windows Servers, Web Servers, Other file-based logs Sysmon, NXLog,
OSSEC, etc.
II. Agentless
• Devices send the logs to the servers.
• Windows Hosts WMI, Cloud Environments (APls), Firewalls, Switches.

2) Aggregation
Aggregation is the process of collecting logs from multiple computing systems,
parsing them, and extracting structured data, and combine in searchable format.

Methods

I. Push. Logs are pushed from source to server.


II. Pull. Logs are pulled by the server from source.

3) Parsing
Software component that can access a specific log format and convert it to
structured data. Multiple parsers are used for different systems.

Example Log:
Sep 28 16.39.03 app_server sshd[8677] Failed password for invalid user icecast2 from 10.72.109.227 port 57238 ssh2
After parsing:
host = app_server
process = sshd
source_user = icecast2
source_lip = 10.72.109.227
source_port = 57238

4) Normalization
Normalization merges events with different data into a reduced format which
contains common event attributes. Following a standard for reducing records
to common event attributes i.e., common field names and values.

5) Categorization

Categorization involves adding meanings to events by identifying log data


related to system events, authentication, local/remote operations, etc.
Host=app_server
Process=sshd
source_user=icecast2 → Authentication|Login|SSH Login
source_ip=10.72.109.227
source_port= 57238

6) Enrichment
Log enrichment refers to adding important information that can make the data
more useful.
host = app_server
process = sshd
source_user =icecast2 →(Administrator)
source_ip = 10.72.109.227 →(Internal IP)
source_port =57238

Correlation Rules & Alerts


A correlation rule is a logical expression that causes the system to take a specific
action if a particular event occurs. For example, "Anonymous logon, alert the
user”. In other words, a correlation rule is a condition (or set of conditions) that
functions as a trigger for alert.
7) Indexing
Effectively search and explore log data, there is need to create an index of
common attributes across all log data.

Searches or data queries that use the index keys can be an order of magnitude
faster, compared to a full scan of all log data.

SIEM Architecture (Example: QRadar)

SIEM Deployment (Sample)

You might also like