SIEM
Definition
Security Information and Event Management. A platform that ingests log streams from multiple sources, normalises them to a common schema, and applies correlation rules to generate alerts. Examples include Splunk, IBM QRadar, Microsoft Sentinel, and the open-source Wazuh. The primary infrastructure for large-scale log correlation.
Related terms
- Alert triage
- The process of reviewing SIEM-generated alerts to determine which are genuine security events and which are false positives. In forensic investigations, alert...
- Binary log (database)
- A database engine's sequential record of all committed data modification statements, used primarily for replication and point-in-time recovery. In MySQL and MariaDB,...
- Chain of custody
- The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
- Combined Log Format
- An extension of the Common Log Format used as the default by Apache HTTP Server and widely adopted by Nginx. Adds referrer...
- Indicator of Compromise (IoC)
- An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
- Log correlation
- The process of matching related events from different log sources using shared attributes such as IP address, username, timestamp, or session ID....
- Log rotation
- The scheduled process of closing the current log file, compressing it, renaming it with a date or sequence suffix, and opening a...
- Normalisation
- The process of converting log data from different vendors and formats into a common schema so that fields can be compared across...
- Retention policy
- An organisation's rule specifying how long log data is stored before deletion or archiving. Policies are typically driven by compliance requirements and...
- Syslog (RFC 5424)
- A standard protocol and message format for transmitting log data from Unix-like systems and network devices to a centralised collector. Each message...
Explained in these topics
- Log Correlation and SIEM in Forensic InvestigationsSecurity Information and Event Management. A platform that aggregates log and event data from across an environment, normalises it, and applies correlation rul...
- Server and Application Log AnalysisSecurity Information and Event Management. A platform that ingests log streams from multiple sources, normalises them to a common schema, and applies correlati...