Security information and event management (SIEM)
Security information and event management (SIEM)
Alerting Examples
Activities can be monitored and customized rules can be created for event correlation to trigger alerts based on certain conditions from various log sources such as network devices, security devices, servers and antivirus. Some examples of customized rules to alert on event conditions involve user authentication rules, attacks detected and infections detected. Thresholds can be configured to trigger alerts based on the quantity of occurrences of events.
Rule | Goal | Trigger | Event |
---|---|---|---|
Repeat Attack-Login Source | Early warning for brute force attacks, password guessing, and misconfigured applications. | Alert on 3 or more failed logins in 1 minute from a single host. | Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS,
TACACS, Monitored Applications. |
Repeat Attack-Firewall | Early warning for scans, worm propagation, etc. | Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one
minute. |
Firewalls, Routers and Switches. |
Repeat Attack-Network Intrusion Prevention System | Early warning for scans, worm propagation, etc | Alert on 7 or more IDS Alerts from a single IP Address in one minute | Network Intrusion Detection and Prevention Devices |
Repeat Attack-Host Intrusion Prevention System | Find hosts that may be infected or compromised (exhibiting infection behaviors) | Alert on 3 or more events from a single IP Address in 10 minutes | Host Intrusion Prevention System Alerts |
Virus Detection/Removal | Alert when a virus, spyware or other malware is detected on a host | Alert when a single host sees an identifiable piece of malware | Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors |
Virus or Spyware Detected but Failed to Clean | Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed | Alert when a single host fails to auto-clean malware within 1 hour of detection | Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events |
Vendors
- Arcsight
- Elastic SIEM (June 2019)
- Empow
- Exabeam
- IBM QRadar
- Logrhythm
- Splunk (2003)
- Graylog (2009)
- wikipedia:Octopussy (software)
- Sumo Logic (2010)
- Devo
- Lookwise based in Spain
- Odyssey Consultants based in Cyprus
- Microsoft Sentinel
- Datadog Cloud SIEM
- FortiSIEM
Cybraics, Empow, Elysium, Jask (acquired by Sumo Logic), MistNet, PatternEx, Qomplx, Rank Software and Seceon
Related terms
- Gartner Magic Quadrant for Security Information and Event Management (SIEM)
- Events per seconds (EPS)
- Audit trail
- Threat detection
- Security Orchestration, Automation, and Response (SOAR)
- Managed detection and response (MDR)
See also
- SOC, SentinelOne, Vanta, IOA, IOC, EDR, XDR
- IDS, HIDS:
snort
,fail2ban
,RdpGuard
,suricata
, OSSEC, Wazuh, Palo Alto WildFire, Malware analysis, SIEM, Samhain - SIEM: Splunk, Elastic SIEM, graylog, IBM QRadar, SIEM Magic Quadrant, Micro Focus ArcSight, SentinelOne, Datadog Cloud SIEM
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Source: https://en.wikipedia.org/wiki/Security_information_and_event_management#Vendors
Advertising: