Unit 04: LO 3 - 3.4 - SIEM Report

Interpreting the output of a SIEM (Security Information and Event Management) report is a bit like being a detective. You get lots of clues and evidence, and it's your job to figure out what they mean and if something fishy is going on. A SIEM report for an event might show you different pieces of information. Let's break down what some of those could be and what they mean:

Date and Time

• What it is: Shows when the event happened.

• Why it's important: Helps you know if the event occurred at a suspicious time, like in the middle of the night when no one should be accessing the system.

Event ID or Code

• What it is: A unique identifier for the type of event.

• Why it's important: Tells you what kind of event you're dealing with, like a failed login attempt or changes to important files.

Source IP Address

• What it is: The IP address where the event originated.

• Why it's important: Helps you trace where the activity came from. If it's an unknown or suspicious location, that's a red flag.

Destination IP Address

• What it is: The IP address that was the target of the event.

• Why it's important: Tells you what part of your network was targeted.

User or Account Name

• What it is: The username of the person or system involved in the event.

• Why it's important: Lets you know who was involved. If it's an account that shouldn't be doing certain activities, that's another clue.

Action Taken

• What it is: Describes what actually happened.

• Why it's important: You need to know if the event was successful or not. Did someone try to log in but fail? Or did they actually get in?

Additional Data

• What it is: Extra information like files accessed, commands executed, or any changes made.

• Why it's important: This gives you a more detailed picture of the event. You'll know not just that something happened, but also what impact it had.

Severity Level

• What it is: A rating to indicate how serious the event is.

• Why it's important: Helps you prioritize. Not all events are equally important, so this tells you how much attention it needs.

Putting all these pieces together, you'll look for patterns or anything out of the ordinary. If you see multiple failed login attempts from a strange IP address, or someone accessing files they shouldn't, those are clues that something's not right and you might need to investigate further or take action to keep the network safe.