Difference between revisions of "Security information and event management (SIEM)"

From wikieduonline
Jump to navigation Jump to search
 
(34 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[wikipedia:Security_information_and_event_management|Security information and event management]]
+
[[wikipedia:Security_information_and_event_management|Security information and event management]] (SIEM)
 
 
  
 
== [[Alerting]] Examples ==
 
== [[Alerting]] Examples ==
Line 19: Line 18:
 
| Repeat Attack-Host Intrusion Prevention System || Find hosts that may be infected or compromised (exhibiting infection behaviors) || Alert on 3 or more events from a single IP Address in 10 minutes || Host Intrusion Prevention System Alerts
 
| Repeat Attack-Host Intrusion Prevention System || Find hosts that may be infected or compromised (exhibiting infection behaviors) || Alert on 3 or more events from a single IP Address in 10 minutes || Host Intrusion Prevention System Alerts
 
|-
 
|-
| Virus Detection/Removal || Alert when a virus, spyware or other malware is detected on a host || Alert when a single host sees an identifiable piece of malware || Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
+
| Virus Detection/Removal || Alert when a virus, spyware or other malware is detected on a host || Alert when a single host sees an identifiable piece of malware || Anti-Virus, [[HIPS]], Network/System Behavioral Anomaly Detectors
 
|-
 
|-
 
| Virus or Spyware Detected but Failed to Clean || Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed || Alert when a single host fails to auto-clean malware within 1 hour of detection || Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events
 
| Virus or Spyware Detected but Failed to Clean || Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed || Alert when a single host fails to auto-clean malware within 1 hour of detection || Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events
Line 26: Line 25:
 
== Vendors ==
 
== Vendors ==
 
* [[Arcsight]]
 
* [[Arcsight]]
* [[Elasticsearch|Elastic]] SIEM
+
* [[Elastic SIEM]] (June 2019)
 
* [[Empow]]
 
* [[Empow]]
 
* [[Exabeam]]
 
* [[Exabeam]]
 
* [[IBM QRadar]]
 
* [[IBM QRadar]]
 
* [[Logrhythm]]
 
* [[Logrhythm]]
* [[Splunk]]
+
* [[Splunk]] (2003)
 +
* [[Graylog]] (2009)
 +
* [[wikipedia:Octopussy (software)]]
 +
* [[Sumo Logic]] (2010)
 +
* [[Devo]]
 +
* [[Lookwise]] based in Spain
 +
* [[Odyssey Consultants]] based in Cyprus
 +
* [[Microsoft Sentinel]]
 +
* [[Datadog Cloud SIEM]]
 +
* [[FortiSIEM]]
 +
 
 +
Cybraics, Empow, Elysium, Jask (acquired by Sumo Logic), MistNet, PatternEx, Qomplx, Rank Software and Seceon
 +
 
 +
== Related terms ==
 +
* [[Gartner Magic Quadrant for Security Information and Event Management (SIEM)]]
 +
* Events per seconds ([[EPS]])
 +
* [[Audit trail]]
 +
* [[Threat detection]]
 +
* [[Security Orchestration, Automation, and Response (SOAR)]]
 +
* [[Managed detection and response (MDR)]]
  
 
== See also ==
 
== See also ==
* [[Monitoring]]
+
* {{SOC}}
 
+
* {{IDS}}
 +
* {{SIEM}}
  
 
{{CC license}}
 
{{CC license}}
Line 41: Line 60:
  
 
[[Category:IT Security]]
 
[[Category:IT Security]]
 +
[[Category:logging]]

Latest revision as of 13:39, 15 July 2024

Security information and event management (SIEM)

Alerting Examples[edit]

Activities can be monitored and customized rules can be created for event correlation to trigger alerts based on certain conditions from various log sources such as network devices, security devices, servers and antivirus. Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected. Thresholds can be configured to trigger alerts based on the quantity of occurrences of events.

Rule Goal Trigger Event
Repeat Attack-Login Source Early warning for brute force attacks, password guessing, and misconfigured applications. Alert on 3 or more failed logins in 1 minute from a single host. Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS,

TACACS, Monitored Applications.

Repeat Attack-Firewall Early warning for scans, worm propagation, etc. Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one

minute.

Firewalls, Routers and Switches.
Repeat Attack-Network Intrusion Prevention System Early warning for scans, worm propagation, etc Alert on 7 or more IDS Alerts from a single IP Address in one minute Network Intrusion Detection and Prevention Devices
Repeat Attack-Host Intrusion Prevention System Find hosts that may be infected or compromised (exhibiting infection behaviors) Alert on 3 or more events from a single IP Address in 10 minutes Host Intrusion Prevention System Alerts
Virus Detection/Removal Alert when a virus, spyware or other malware is detected on a host Alert when a single host sees an identifiable piece of malware Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
Virus or Spyware Detected but Failed to Clean Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed Alert when a single host fails to auto-clean malware within 1 hour of detection Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

Vendors[edit]

Cybraics, Empow, Elysium, Jask (acquired by Sumo Logic), MistNet, PatternEx, Qomplx, Rank Software and Seceon

Related terms[edit]

See also[edit]

Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Source: https://en.wikipedia.org/wiki/Security_information_and_event_management#Vendors

Advertising: