The Secret Security Wiki


Security Information and Event Management

Security Information and Event Management (SIEM) is a monitoring system that aggregates data from different security sensitive sources, analyzes the data, presents it and issues alerts when triggering-criteria is met. SIEM data is ingested from different sources, including the network, security controls, servers, databases, applications, etc. The data is analyzed to detect abnormalities that may indicate a problem. Data from different sources is often correlated to provide more meaningful context for individual events.

SIEM outputs alerts for suspicious events to a dashboard or third-party channels such as email. Data presented on the dashboard assists analysts in identifying abnormal activities. Alerts can be configured to trigger security controls to collect additional data or enforce a blocking action to prevent an attack.

Basic SIEM systems employ a rules-based approach to alerting. More advanced systems utilize machine-learning to analyze the vast amounts of data that they collect.

SIEM systems are also used for data retention purposes, to support forensic investigations and to comply with data retention requirements/regulations.