Introduction to SIEM ( Security Information and Event Management) скачать в хорошем качестве

Introduction to SIEM ( Security Information and Event Management)

What is SIEM ? SIEM stands for Security Information and Event Management system. It is a tool that collects data from various endpoints/network devices across the network, stores them at a centralized place, and performs correlation on them. Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM is a security solution that collects and analyzes data from various sources to support threat protection and compliance requirements for organizations. It combines security information management (SIM) and security event management (SEM) into a single system. 1) Host-Centric Log Sources These are log sources that capture events that occurred within or related to the host. Some log sources that generate host-centric logs are Windows Event logs, Sysmon, Osquery, etc. Some examples of host-centric logs are: A user accessing a file A user attempting to authenticate. A process Execution Activity A process adding/editing/deleting a registry key or value. Powershell execution 2) Network-Centric Log Sources Network-related logs are generated when the hosts communicate with each other or access the internet to visit a website. Some network-based protocols are SSH, VPN, HTTP/s, FTP, etc. Examples of such events are: SSH connection A file being accessed via FTP Web traffic A user accessing company's resources through VPN. Network file sharing Activity Importance of SIEM Real-time log Ingestion Alerting against abnormal activities 24/7 Monitoring and visibility Protection against the latest threats through early detection Data Insights and visualization Ability to investigate past incidents. SOC Analyst Responsibilities SOC Analysts utilize SIEM solutions in order to have better visibility of what is happening within the network. Some of their responsibilities include: Monitoring and Investigating. Identifying False positives. Tuning Rules which are causing the noise or False positives. Reporting and Compliance. Identifying blind spots in the network visibility and covering them. That's all ! Thank you 😊 reference: tryhackme.com