Security information and event management, SIEM for short, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations.
typical use cases
- Log management: SIEM systems gather vast amounts of data in one place, organize it, and then determine if it shows signs of a threat, attack, or breach.
- Event correlation: The data is then sorted to identify relationships and patterns to quickly detect and respond to potential threats.
- Incident monitoring and response: SIEM technology monitors security incidents across an organization’s network and provides alerts and audits of all activity related to an incident.
open source tooling
Wazuh
- Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments.
- Wazuh solution consists of an endpoint security agent, deployed to the monitored systems, and a management server, which collects and analyzes data gathered by the agents. Besides, Wazuh has been fully integrated with the Elastic Stack, providing a search engine and data visualization tool that allows users to navigate through their security alerts.
Security Onion
- is a lot of tools rolled into one. It can be used as IDS/IDP, to collect logs, or used for static analysis of captured traffic. It can be used as a SIEM or as a first/last resort security tool to find stuff your other tools may have missed. It’s evolved a lot over the years and is pretty robust in it’s offerings. It has an ELK stack built in and can manage logging well. Pretty good all-around tool.
Sources