Difference between revisions of "Security information and event management (SIEM)"
Line 1: | Line 1: | ||
− | [[wikipedia:Security_information_and_event_management|Security information and event management]] | + | [[wikipedia:Security_information_and_event_management|Security information and event management]] (SIEM) |
Line 35: | Line 35: | ||
== See also == | == See also == | ||
* {{Monitoring software}} | * {{Monitoring software}} | ||
− | |||
{{CC license}} | {{CC license}} |
Revision as of 11:43, 5 January 2020
Security information and event management (SIEM)
Alerting Examples
Activities can be monitored and customized rules can be created for event correlation to trigger alerts based on certain conditions from various log sources such as network devices, security devices, servers and antivirus. Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected. Thresholds can be configured to trigger alerts based on the quantity of occurrences of events.
Rule | Goal | Trigger | Event |
---|---|---|---|
Repeat Attack-Login Source | Early warning for brute force attacks, password guessing, and misconfigured applications. | Alert on 3 or more failed logins in 1 minute from a single host. | Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS,
TACACS, Monitored Applications. |
Repeat Attack-Firewall | Early warning for scans, worm propagation, etc. | Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one
minute. |
Firewalls, Routers and Switches. |
Repeat Attack-Network Intrusion Prevention System | Early warning for scans, worm propagation, etc | Alert on 7 or more IDS Alerts from a single IP Address in one minute | Network Intrusion Detection and Prevention Devices |
Repeat Attack-Host Intrusion Prevention System | Find hosts that may be infected or compromised (exhibiting infection behaviors) | Alert on 3 or more events from a single IP Address in 10 minutes | Host Intrusion Prevention System Alerts |
Virus Detection/Removal | Alert when a virus, spyware or other malware is detected on a host | Alert when a single host sees an identifiable piece of malware | Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors |
Virus or Spyware Detected but Failed to Clean | Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed | Alert when a single host fails to auto-clean malware within 1 hour of detection | Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events |
Vendors
See also
- Monitoring: Prometheus, Cacti, monit, munin, RRDtool, Zabbix, Netdata, Nagios, Check MK, Icinga, Pingdom, OpsGenie and Datadog, Opsgenie, PRTG, Checkmk
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Source: https://en.wikipedia.org/wiki/Security_information_and_event_management#Vendors
Advertising: