Security information and event management (SIEM)

From wikieduonline
Revision as of 07:58, 10 December 2019 by Welcome (talk | contribs)
Jump to navigation Jump to search

Alerting Examples

Activities can be monitored and customized rules can be created for event correlation to trigger alerts based on certain conditions from various log sources such as network devices, security devices, servers and antivirus. Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected. Thresholds can be configured to trigger alerts based on the quantity of occurrences of events.

Rule Goal Trigger Event
Repeat Attack-Login Source Early warning for brute force attacks, password guessing, and misconfigured applications. Alert on 3 or more failed logins in 1 minute from a single host. Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS,

TACACS, Monitored Applications.

Repeat Attack-Firewall Early warning for scans, worm propagation, etc. Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one

minute.

Firewalls, Routers and Switches.
Repeat Attack-Network Intrusion Prevention System Early warning for scans, worm propagation, etc Alert on 7 or more IDS Alerts from a single IP Address in one minute Network Intrusion Detection and Prevention Devices
Repeat Attack-Host Intrusion Prevention System Find hosts that may be infected or compromised (exhibiting infection behaviors) Alert on 3 or more events from a single IP Address in 10 minutes Host Intrusion Prevention System Alerts
Virus Detection/Removal Alert when a virus, spyware or other malware is detected on a host Alert when a single host sees an identifiable piece of malware Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors
Virus or Spyware Detected but Failed to Clean Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed Alert when a single host fails to auto-clean malware within 1 hour of detection Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events


Vendors

Advertising: