What is SIEM?
Bu notlar bir neçə dərslikdən toplanıb.Vaxt olduqca müəyyən "update"-lər edirəm.
SIEM - Security Information and Event Management
Collects data points from network, including log files, traffic captures, SNMP messages, and so on, from every host on the network. SIEM can collect all this data into one centralized location and correlate it for analysis to look for security and performance issues, as well negative trends all in real time.
Aggregation: Collecting data from disparate sources and organizing the data into a single format. Any device within a SIEM system that collects data is called collector or an aggregator.
Correlation: Is the logic that looks at data from disparate sources and can make determinations about events taking place on your network. (Could be in-band or out-of-band, depending on the placement of the NIDS/NIPS).
Alerts - For notification if something goes bad.
Triggering - Exceeding thresholds.
Normalization: Will actually create multiple tables / organize in such a way that the data can become more efficient and allows our analysis and reports tools to work better.
WORM - Write Once Read Many: The concept being is that log files are precious, and a lot of times you might want to look at them in an archival way, so that we can use optical media like WORM drives to store them.
Most Popular SIEM Tools:
IBM Qradar
Splunk
ELK - Elastic Search, Log Stash and Kibana (Open Source)
Last updated
