Data Sources for your SIEM Environment
Data Sources
Data sources broadly describe either host behaviors reporting on operating systems or applications, or network behaviors reporting communication patterns. Data sources are event streams, and traces of activity that represent the services accessed by the users of a system. Data sources are inputs to sensors, which produce alerts as outputs. Alerts represent information of interest from a security perspective.
Network Logs
Network Traffic: The most prevalent type of network traf?c data is the full packet capture, exempli?ed by the libpcap library and the tcpdump and Wireshark applications.
Network aggregates: Net?ow is a widely used network monitoring tool used for detecting and visualizing security incidents in networks. In brief, this protocol records counters of packet headers ?owing through router network interfaces.
Network infrastructure information: The networking infrastructure relies on many protocols for proper communication. Logs from DNS and routers are critical. DNS is attractive as a communication channel for attackers because it is one of the few protocols that are highly likely to go through ?rewalls, and whose payload will be unaltered.
领英推荐
Application Logs
Higher up the computing stack, application logs provide an event stream that documents the activity of a speci?c application. The main advantage of application logs over system logs is their similarity to reality and the precision and accuracy of the information proposed.
Web Server Logs: A frequent source of information is provided by the web server and proxy logs, known as the Common Log Format (CLF) and Extended Common Log Format (ECLF).
Files and Documents: Another source of application-level information that is particularly interesting and can be found both in transit (in networks) or at rest (in systems) comprises the documents produced by some of these applications.
System and Kernel Logs: Kernel logs now focus on monitoring the internal operations of an operating system, close to the hardware.
These are some of the generic log and data sources that we should focus on consuming into our SIEM and then expand from there. Protocols for log collection could be different may be using Syslog, WEF, LEEF, SNMP Trap, Beats, etc. All enterprises are unique and, as such, when looking for what logs to add next, try to think about what’s important to my environment based on certain factors.
Started M.Sc. in CSE at Khulna University | visit YouTube: @studytimewithjency | Human with a versatile mind for learning, innovation, and making meaningful contributions | long way to go
1 年Thank you so much.. I really needed to clear up these concepts..
IT Business Analyst at Courts Administration Authority of South Australia
1 年Thank you for sharing! May I ask if data sources and log sources are the same thing?
Thank you ??
Joint Director/Consultant and Trainer in Smart Grid Cybersecurity, ISMS/ISO 27001:2022, OT Cybersecurity, OT/ICS/IoT/IIoT in Power Sector-NIST SP 800-82, NERC CIP, IEC 62443, IEEE 1686:2022, IEC 62351, IEEE 1547.3
2 年Thanks for sharing