The field of security information/event management (SIM or SIEM) is generally concerned with 1) collecting data from networks and networked devices that reflects network activity and/or operation of the devices and 2) analyzing the data to enhance security. For example, the data can be analyzed to identify an attack on the network or a networked device and determine which user or machine is responsible. If the attack is ongoing, a countermeasure can be performed to thwart the attack or mitigate the damage caused by the attack. The data that is collected usually originates in a message (such as an event, alert, or alarm) or an entry in a log file.
Log data can be generated by various sources, including both networked devices and applications. These sources can be, for example, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), vulnerability assessment tools, firewalls, anti-virus tools, anti-spam tools, encryption tools, application audit logs, and physical security logs. Log data is comprised of data instances called “events.” An event can be, for example, an entry in a log file, an entry in a syslog server, an alert, an alarm, a network packet, an email, or a notification page.
In general, an event represents a data structure that includes multiple fields, where each field can contain a value. Security systems, such as SIEM systems, receive events from potentially thousands of sources, many of which are diverse devices. By analyzing the fields, events may be cross-correlated to provide security-related intelligence, such as security breaches. Correlation may include applying rules to events.