Take an example: A port scan is initiated against a specific machine. Well, now you know that the logs from different devices are being forwarded into the SIEM. How exactly would the SIEM raise an alert? There are also specific applications & devices which can be integrated through a series of vendor-specific procedures. In the latter type, the client system sends logs on its own using a service like Syslog or Windows Event Collector service. Then this agent is configured to forward logs into the solution. In the agent-based approach, a log-pushing agent is installed on the client machine from which the logs are collected. ![]() Logs are fetched to the SIEM in two different ways. So my definition of co-relation is: “ It is the rule which aggregates events into an incident which is defined by a specific application or scenario.” How do logs reach the SIEM? This can be further investigated by analyzing the logs from respective machines. This is where co-relation comes in.įor such a case, a co-relation rule can be made so that, If an authentication failure event happens 3 times consecutively, followed by success in a specific period, an alert pops up. Or maybe if the user forgot his password but got it right at the end. Maybe a person is trying to guess the password of another user and get it right, which is a breach. The authentication failed for the first 3 times, and for the 4th time, it succeeded. For example, a user tries to log in to an AD server. In addition to this, the SIEM tool can be configured to detect a specific incident. It provides data on each event occurring in the network and thus acts as a complete centralized security monitoring system. With the collected data(mainly logs and packets), the tool provides insight into the happenings of the network. Some solutions also collect NetFlow and even raw packets. But not that alone, of course.Ī SIEM tool collects logs from devices in the Organization’s infrastructure. ![]() Yes, the one-stop answer is a co-relation for the question of how the SIEM works. You may have noticed the word “Co-Relation” in the previous paragraph. This helps the organization to find incidents or hacking attempts in near-Real Time. For e.g.: If a Port Scan is initiated against a system, the SIEM generates a Port Scan Alert with all details like Source & Destination, port numbers, etc. The SIEM tool can generate alerts & incidents based on specific co-relation rules. But interestingly, one can categorize various assets(network devices & services) so that the monitoring ability of the SIEM can be tweaked to a large extent.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |