trivial example After we have select all the sources and manag to debug the collection of information (within some SIEM systems this is quite a complex task, since agents, collectors, storages, servers for processing are ne and all this naturally nes to be configur), we ne to have a tool that can productively analyze system logs, namely, analyze events by type (field, value), search by events, etc.
That is, the SIEM system analyzes trivial example
Parses) logs and collects from them c level executive list a general picture of what is happening, since just a storage of raw logs is of little functionality. Yes, this can help us find information about past incidents, but SIEM allows us to do much more, namely, compare events from different systems with each other and, bas on this, promptly find threats and respond to them.
Rules and Correlations
In order for a SIEM system to be able to find threats and prevent them, it nes to be explain what a threat is and how to react to it, that is, a certain set of rules and algorithms ne to be form according to which it will work. with password selection. We have several events (source – Active Directory) with unsuccessful login to the system (5-10 attempts to enter the password) and we also see that the user who uses this computer did not come to work (source – access control systems). If you pre-register a rule for this situation, the system will perform some actions, for example, make a notification or even block the account.
Forming a set of such rules is the most difficult task
When setting up a SIEM aero leads system, since each individual company has its own personal task. Yes, of course, there is a basic set of what are the main channels for obtaining leads and how to use them? rules, but it is quite meager, and those hundrs of correlations develop by vendors that are pre-install out of the box are often simply useless. Therefore, the formation of a set of rules can be singl out as a separate project, where the logic of the SIEM system operation will be develop bas on the requirements of standards, security policies, best practices and specific tasks of the customer.
