WEBVTT 1 00:00:00.180 --> 00:00:02.640 In this lesson, we will learn about 2 00:00:02.640 --> 00:00:04.830 SIEM Event Management. 3 00:00:04.830 --> 00:00:07.710 A security information and event management 4 00:00:07.710 --> 00:00:11.490 or SIEM system is a platform that collects, 5 00:00:11.490 --> 00:00:15.600 analyzes, and correlates security event data 6 00:00:15.600 --> 00:00:19.050 from various sources to detect and respond 7 00:00:19.050 --> 00:00:21.990 to potential threats in real time. 8 00:00:21.990 --> 00:00:24.750 SIEM event management is collecting, 9 00:00:24.750 --> 00:00:29.750 analyzing, and responding to security events in a real time 10 00:00:30.150 --> 00:00:33.090 to identify and mitigate threats. 11 00:00:33.090 --> 00:00:37.560 SIEM event management concepts include Event parsing, 12 00:00:37.560 --> 00:00:41.700 Event duplication, as well as the identification 13 00:00:41.700 --> 00:00:45.930 of event false positives and false negatives. 14 00:00:45.930 --> 00:00:48.780 Event parsing refers to the process 15 00:00:48.780 --> 00:00:51.480 of breaking down raw event data 16 00:00:51.480 --> 00:00:55.620 into structured formats for easier analysis. 17 00:00:55.620 --> 00:00:59.790 Event duplication filters out repeated alerts 18 00:00:59.790 --> 00:01:04.790 to reduce noise and enable focus on unique incidents. 19 00:01:04.800 --> 00:01:08.370 Event false positives occur when benign activity 20 00:01:08.370 --> 00:01:10.980 is mistakenly flagged as a threat, 21 00:01:10.980 --> 00:01:15.870 and false negatives occur when actual threats go undetected. 22 00:01:15.870 --> 00:01:20.250 Let's learn more about event parsing, event duplication 23 00:01:20.250 --> 00:01:22.560 as well as the identification 24 00:01:22.560 --> 00:01:26.220 of event false positives and false negatives. 25 00:01:26.220 --> 00:01:29.010 First, we have event parsing. 26 00:01:29.010 --> 00:01:30.960 Event parsing is the process 27 00:01:30.960 --> 00:01:35.700 of breaking down a raw event data into a structured format 28 00:01:35.700 --> 00:01:37.650 that a security information 29 00:01:37.650 --> 00:01:41.520 and event management or a SIEM system can analyze. 30 00:01:41.520 --> 00:01:45.030 Parsing is required because when data is collected 31 00:01:45.030 --> 00:01:48.330 from various sources such as firewalls, 32 00:01:48.330 --> 00:01:51.450 intrusion detection systems, or servers, 33 00:01:51.450 --> 00:01:54.390 it often comes in different formats. 34 00:01:54.390 --> 00:01:59.390 So the SIEM parses this data into a consistent structure, 35 00:01:59.430 --> 00:02:02.580 making it easier to analyze and correlate. 36 00:02:02.580 --> 00:02:07.440 For example, a SIEM may take log data from a firewall 37 00:02:07.440 --> 00:02:10.440 and break it down into standardized fields 38 00:02:10.440 --> 00:02:14.400 like IP address, port number and timestamp. 39 00:02:14.400 --> 00:02:17.850 By doing so, the SIEM can effectively process 40 00:02:17.850 --> 00:02:22.020 and understand the event data across all devices 41 00:02:22.020 --> 00:02:25.140 and systems in a normalized format. 42 00:02:25.140 --> 00:02:28.770 Next, a SIEM accomplishes event parsing 43 00:02:28.770 --> 00:02:31.470 through predefined rules and templates, 44 00:02:31.470 --> 00:02:35.100 which allow it to recognize different types of events 45 00:02:35.100 --> 00:02:37.110 from various sources. 46 00:02:37.110 --> 00:02:41.130 As events enter the SIEM, the system applies these rules 47 00:02:41.130 --> 00:02:42.960 to organize the data 48 00:02:42.960 --> 00:02:46.170 into recognizable and actionable fields. 49 00:02:46.170 --> 00:02:49.260 For instance, if a SIEM receives logs 50 00:02:49.260 --> 00:02:53.010 from both a firewall and an application server, 51 00:02:53.010 --> 00:02:56.970 it will use parsing templates to break down each log type 52 00:02:56.970 --> 00:03:00.600 into relevant fields like Source IP address, 53 00:03:00.600 --> 00:03:03.390 Event Type, and Severity Level. 54 00:03:03.390 --> 00:03:07.800 This structured data can then be used for further analysis, 55 00:03:07.800 --> 00:03:11.460 making event correlation and alerting possible. 56 00:03:11.460 --> 00:03:13.260 In an enterprise network, 57 00:03:13.260 --> 00:03:15.600 the benefit of event parsing 58 00:03:15.600 --> 00:03:18.870 is the ability to quickly normalize data 59 00:03:18.870 --> 00:03:20.730 from various sources, 60 00:03:20.730 --> 00:03:24.660 creating consistency in how events are managed. 61 00:03:24.660 --> 00:03:27.660 This helps security teams reduce noise 62 00:03:27.660 --> 00:03:30.360 and focus on critical issues, 63 00:03:30.360 --> 00:03:32.610 as the structured data allows 64 00:03:32.610 --> 00:03:34.980 for more efficient SIEM filtering, 65 00:03:34.980 --> 00:03:38.100 searching, and correlating of events. 66 00:03:38.100 --> 00:03:40.650 Proper event parsing also ensures 67 00:03:40.650 --> 00:03:42.690 that large volumes of data 68 00:03:42.690 --> 00:03:45.570 can be processed in a meaningful way, 69 00:03:45.570 --> 00:03:49.770 enabling security teams to respond faster to threats. 70 00:03:49.770 --> 00:03:52.950 Second, we have event duplication. 71 00:03:52.950 --> 00:03:55.920 Event duplication refers to the filtering 72 00:03:55.920 --> 00:03:58.620 and elimination of repeated alerts 73 00:03:58.620 --> 00:04:03.620 or events in a SIEM system to avoid unnecessary noise. 74 00:04:03.720 --> 00:04:06.000 In a large enterprise network, 75 00:04:06.000 --> 00:04:09.540 certain events such as repetitive login attempts 76 00:04:09.540 --> 00:04:14.040 or frequent traffic spikes can trigger multiple alerts. 77 00:04:14.040 --> 00:04:16.200 Without duplication management, 78 00:04:16.200 --> 00:04:19.740 these repeated alerts can overwhelm security teams 79 00:04:19.740 --> 00:04:22.290 and obscure true threats. 80 00:04:22.290 --> 00:04:24.360 A SIEM system addresses this 81 00:04:24.360 --> 00:04:27.060 by detecting and removing duplicates, 82 00:04:27.060 --> 00:04:30.570 ensuring that only unique and relevant incidents 83 00:04:30.570 --> 00:04:33.510 are prioritized for investigation. 84 00:04:33.510 --> 00:04:38.040 SIEMs handle event duplication through correlation rules 85 00:04:38.040 --> 00:04:41.100 that identify repeated occurrences 86 00:04:41.100 --> 00:04:45.240 of the same event within a specific timeframe. 87 00:04:45.240 --> 00:04:49.800 For example, if a SIEM receives multiple login failures 88 00:04:49.800 --> 00:04:53.520 from the same user within a short period of time, 89 00:04:53.520 --> 00:04:56.400 it may group D as a single event 90 00:04:56.400 --> 00:04:59.340 or filter out duplicates entirely. 91 00:04:59.340 --> 00:05:01.860 This helps prevent alert fatigue 92 00:05:01.860 --> 00:05:06.270 where security analysts are overwhelmed by too many alerts, 93 00:05:06.270 --> 00:05:09.870 so many that they may miss actual incidents. 94 00:05:09.870 --> 00:05:12.180 So by reducing noise, 95 00:05:12.180 --> 00:05:16.410 the SIEM allows security teams to focus on unique events 96 00:05:16.410 --> 00:05:18.690 that require investigation. 97 00:05:18.690 --> 00:05:22.800 In enterprise environments, managing event duplication 98 00:05:22.800 --> 00:05:26.670 improves the efficiency of the security team. 99 00:05:26.670 --> 00:05:29.070 By eliminating repetitive alerts, 100 00:05:29.070 --> 00:05:33.810 security analysts can focus their efforts on genuine threats 101 00:05:33.810 --> 00:05:38.700 and reduce the time spent investigating duplicate incidents. 102 00:05:38.700 --> 00:05:42.030 This not only increases productivity, 103 00:05:42.030 --> 00:05:45.540 but also ensures that high priority alerts 104 00:05:45.540 --> 00:05:47.460 get the attention they need 105 00:05:47.460 --> 00:05:51.570 without being buried in a flood of redundant data. 106 00:05:51.570 --> 00:05:55.830 Third, we have the identification of false positives 107 00:05:55.830 --> 00:05:57.810 and false negatives. 108 00:05:57.810 --> 00:06:01.800 The identification of false positives and false negatives 109 00:06:01.800 --> 00:06:04.620 ensures accurate threat detection. 110 00:06:04.620 --> 00:06:08.910 A false positive occurs when an event is incorrectly flagged 111 00:06:08.910 --> 00:06:13.910 as a security issue, even though no actual threat exists. 112 00:06:14.250 --> 00:06:17.070 Conversely, a false negative occurs 113 00:06:17.070 --> 00:06:21.990 when a true security threat goes undetected by the system. 114 00:06:21.990 --> 00:06:25.590 SIEMs are designed to minimize both false positives 115 00:06:25.590 --> 00:06:29.730 and false negatives by using correlation rules, 116 00:06:29.730 --> 00:06:33.900 machine learning and fine tuned thresholds. 117 00:06:33.900 --> 00:06:36.780 SIEMs systems reduce false positives 118 00:06:36.780 --> 00:06:40.650 by using and adjusting specific correlation rules 119 00:06:40.650 --> 00:06:43.290 and improving event context, 120 00:06:43.290 --> 00:06:46.380 often with the help of security analysts. 121 00:06:46.380 --> 00:06:49.440 For example, if a SIEM flags in the event 122 00:06:49.440 --> 00:06:52.800 as suspicious because of an unusual login, 123 00:06:52.800 --> 00:06:56.880 but further context reveals that this login was legitimate, 124 00:06:56.880 --> 00:07:00.750 maybe it was a known employee traveling abroad, 125 00:07:00.750 --> 00:07:04.530 then a security analyst can adjust the SIEMs rules 126 00:07:04.530 --> 00:07:08.100 to avoid flagging similar logins in the future. 127 00:07:08.100 --> 00:07:10.920 Similarly, false negatives are addressed 128 00:07:10.920 --> 00:07:13.410 by improving detection methods. 129 00:07:13.410 --> 00:07:18.330 So if a SIEM fails to flag a successful malware download 130 00:07:18.330 --> 00:07:21.406 because the detection rules were too restrictive, 131 00:07:21.406 --> 00:07:23.910 analysts can adjust the rules 132 00:07:23.910 --> 00:07:27.600 to ensure such events are caught in the future. 133 00:07:27.600 --> 00:07:31.170 So the benefit of managing false positives 134 00:07:31.170 --> 00:07:34.530 and false negatives in an enterprise network 135 00:07:34.530 --> 00:07:36.600 is ensuring that security teams 136 00:07:36.600 --> 00:07:39.510 are able to focus on real threats 137 00:07:39.510 --> 00:07:41.790 while minimizing wasted time 138 00:07:41.790 --> 00:07:45.420 on investigating benign incidents. 139 00:07:45.420 --> 00:07:48.960 Reducing false positives helps analysts correlate 140 00:07:48.960 --> 00:07:53.040 on meaningful alerts, improving their efficiency. 141 00:07:53.040 --> 00:07:56.580 At the same time, reducing false negatives 142 00:07:56.580 --> 00:08:00.000 ensures that actual threats are not missed, 143 00:08:00.000 --> 00:08:03.120 maintaining the overall security posture 144 00:08:03.120 --> 00:08:05.130 of the organization. 145 00:08:05.130 --> 00:08:09.480 So remember, a Security Information 146 00:08:09.480 --> 00:08:12.540 and Event Management or SIEM system 147 00:08:12.540 --> 00:08:16.350 is used to collect, analyze, and respond 148 00:08:16.350 --> 00:08:21.350 to security events from various sources in real time. 149 00:08:21.450 --> 00:08:25.140 It helps detect and mitigate potential threats 150 00:08:25.140 --> 00:08:29.310 by processing event data from systems like firewalls, 151 00:08:29.310 --> 00:08:33.180 servers and intrusion detection systems. 152 00:08:33.180 --> 00:08:36.660 Important concepts in SIEM event management 153 00:08:36.660 --> 00:08:40.320 include event parsing, event duplication, 154 00:08:40.320 --> 00:08:42.560 as well as the identification 155 00:08:42.560 --> 00:08:46.590 of event false positives and false negatives. 156 00:08:46.590 --> 00:08:51.210 Event parsing is the process of organizing raw event data 157 00:08:51.210 --> 00:08:55.110 into a structured format for easier analysis, 158 00:08:55.110 --> 00:08:57.990 ensuring consistency and accuracy 159 00:08:57.990 --> 00:09:00.540 across different data sources. 160 00:09:00.540 --> 00:09:03.690 Next, Event Duplication management 161 00:09:03.690 --> 00:09:08.690 filters out repeated alerts, reducing unnecessary noise, 162 00:09:08.760 --> 00:09:11.250 and helping security teams focus on 163 00:09:11.250 --> 00:09:14.130 unique and significant incidents. 164 00:09:14.130 --> 00:09:18.780 And finally, SIEMs also help manage false positives, 165 00:09:18.780 --> 00:09:23.130 which are benign activity mistakenly flagged as a threat 166 00:09:23.130 --> 00:09:25.320 and false negatives, 167 00:09:25.320 --> 00:09:28.860 which are real threats that go undetected. 168 00:09:28.860 --> 00:09:32.910 This allows security teams to focus on real threats 169 00:09:32.910 --> 00:09:35.070 and maintain the organization's 170 00:09:35.070 --> 00:09:37.893 security posture efficiently.