In the first part of the article on Security information and event management – SIEM, the writer shared the components of SIEM system and the methods of collecting information. In part 2, the article gives an insight into the techniques that define rules of SIEM management.

Techniques to determine the rule of SIEM management

1. Event correlation technique

Rules allow to extend standardization of logs of security events from different sources in triggering alarms in SIEM. The way to write rules in SIEM is usually started quite simply, but can become extremely complex. Administrators often write rules that use the Boolean Logic expression to determine specific conditions to be met and to check whether they fit the data.

Correlation is a set of rules. Correlation of security events helps to link security events from different sources into an exact security event. Correlation of security events is implemented to simplify procedures responding to incidents for the system, by presenting the only incident that is related to multiple security events coming from different source devices.

Typically, there are two types of event correlation: Rule-based and Statistical-based methods

  • Rule-based

An event correlation method is based on known rules and knowledge about attacks. Known knowledge about attacks is used to link events together and analyze them in a common context. Rules are built into defined patterns and developed by vendors or administrators can build, develop and add them to the system according to time and accumulated experience.

  • Statistical-based

The correlation method does not use any previously known knowledge of the activities supposed to be dangerous. But instead of relying on the knowledge of normal activities has been recognized and accumulated over time, the ongoing events are evaluated by an algorithm and can be compared to the normal pattern to distinguish between normal and abnormal behaviors. The system analyzes security events over a period of time and uses weights to evaluate assets or systems. These weight values are then analyzed to determine the risk of this type of attacks. These systems also set the level of normal network activity and look for deviations from samples of normal behaviors that may indicate an attack.

If you look at the example in Image 3, you can see that many security events log into the SIEM within 10 seconds. Looking at this can make you realize which the event has the failed or successful login from multiple addresses to some destination addresses. If you look closely, you can see the only source address logging in multiple destination addresses multiple times, and then suddenly see a successful login. This could be a Brute-Force attack with the server.

Logs are collected within 10 seconds

Expanded from this example and instead of just 10 security events in a 10 second period, the system has 1000 security events in 10 seconds. After selecting security events from all, the fact that the system can display a security event with risks is extremely difficult. There should be a way to remove all information about unrelated security events in logs and to track the security event information that could indicate a risk through multiple security events.

2. Log storage

Logs sent to SIEM need a way to be kept for storage and future query purposes. There are three ways to archive logs in SIEM: using a database, a text file, and a binary file.

  • Database

Storing Logs in a database is the most common way used to keep logs in SIEM. Databases are usually a standard database platform like Oracle, MySQL, Microsoft SQL or one of the other big database applications being used in the enterprises.

This method allows quite easily to interact with the data because database queries are a part of the database application. Performance is also quite good when accessing logs in the database, depending on the running database hardware, but the database applications must be optimized to run with SIEM.

Using a database is a good solution for log storage, but some issues may arise depending on how the SIEM implements the database that corresponds to it. If SIEM is a device which does often not have much interaction with the database, the supply and maintenance will be often not a problem. But if SIEM is running on its own hardware, managing its database will be a big deal. This can be difficult if the system does not have a DBA.

  • Archive as a text file

A standard text file is used to store information in a readable format. The information should have a delimited boundary that could be a comma, a tab spacing, or some other signals. Thus, information can be analyzed and read correctly. This storage method is not used frequently. Actions written and read from text files seem to be slower than from other methods.

There really is not much benefit in using a text file to store data, but it’s easy for external applications to access this data. If logs are stored in a text file, it will be not difficult to write codes to open files and retrieve information to provide for another application. Another benefit is that using text files is readable for humans and easy for analysts to find and understand it.

  • Archive in the binary form

The binary file format is using a file with the custom format to store information in the binary form. SIEM knows how to read and write into these files.

Monitoring and supervising

The final stage is the method of interacting with the logs stored in SIEM. Once all logs have been in the SIEM and security events have been processed, what to do next is find out the way to use them efficiently with information from different logs. SIEM system provides a web-based console or applications downloaded to the server. Both interfaces will allow interaction with the data stored in SIEM. This console is also used for SIEM management.

SIEM provides three ways to notify administrators of an attack or an abnormal behavior that is occurring. First, SIEM can issue a warning as soon as something is recognized as abnormal. Second, SIEM will send a message at a predetermined time of the attack and the third is administrators monitor SIEM in real-time through a web interface.

This application interface enables troubleshooting or provides an overview of the system’s environment. Normally, when looking for information or troubleshooting, engineers will have to go to different devices and view logs in their original formats. But with SIEM, it will be much simpler and more convenient. It can handle at a single place, analyzing all different logs easily because SIEM has standardized that data.

In the management and monitoring of SIEM’s console, the administrator can develop the contents and rules used to find information from the handled security event. This console is a way to communicate with the data stored in SIEM.


The implementation of SIEM system does not change the network architecture of the system. Devices can be located anywhere in the network as servers, and the most optimal is the administration area of the system, while the monitoring server can be placed in convenient locations for collecting logs from the system.

The purpose is to help the client determine the meaning of any events by placing it in context to answer questions: what, where, when and why the event occurs and its impact on customers. SIEM system provides a correlation between events based on priority, automatically evaluates exactly security risks, and violation of compliance with policies in the customer’s IT environment. A capacity of real-time alerts provides the risks for security systems based on the necessary content analyzed.

Security information and event management (Part 1) – Components of the SIEM system and Methods to collect Information

Song Phuong – FPT IS

Related posts: