Guides

Notable Events

While we think of detection, the basic idea is to categorize data and mark notable events.

Suggest Edits

A Security Information and Event Management (SIEM) system relies on various security services to generate audit and security logs. These logs encompass a wide range of data sources, including firewall logs, Endpoint Detection and Response (EDR) audit data, EDR alerts, and network flow data. Each of these services is considered a "data source" within the SIEM framework.

Events and Cases

In the Fluency environment, an event can be seen as a building block of security analysis. When multiple events form a pattern or indicate a potential security concern, they are grouped together into what we call a "case". In Fluency, a case consists of notable events with significant RiskScore, helping security analysts prioritize and respond to potential threats effectively.

Cases are listed on the Summary Overview page.

Understanding "state":
The concept of "state" in the SIEM context refers to the relationship between similar events, as well as their relation to all events and the user-entity (UE). By understanding the state of events, analysts can better discern patterns, anomalies, and potential threats within the system.

Generating Notable Events

Notable events are generated through the analysis of data collected from various sources. These events can take several forms:

  • Notification: An event that occurred and requires attention.
  • Alert: An event that demands immediate response due to its severity.
  • Action: An event that denotes an interaction with data or a change in system state.
  • Summary: A collection of properties of the system over a specific time period.
  • Metric: A summary message with consistent time span per message.

Categorizing Notable Events

In the process of generating notable events, we categorize them based on their nature and significance:

  • Notifications and Alerts: These events are inherently notable and are categorized accordingly. We also aim to enrich alerts with additional context, such as their state in relation to other events.
  • Actions: These events represent interactions with the system that we want to categorize. We identify notable actions based on specific criteria or patterns, such as unique properties associated with user logins that may indicate potential security risks.
  • Summary: These are normally discarded, as the raw data that creates these has already been captured.
  • Metrics: These are like Actions. Metrics may generate notifications based on threshold and trending alerts.

By effectively categorizing and analyzing notable events, SIEM systems empower security teams to detect and respond to security threats in a timely and efficient manner.

In the supporting pages we will examine how to create notifications based on the types above.

Updated 8 months ago