Microsoft Sentinel – SIEM World Terminology
Last Updated: 01/10/2024
Before starting on Microsoft Sentinel, we need some background into the SIEM world and some of the terminology that’s used so that we can better understand what certain articles and solutions are actually talking about.
Here is a short list of things to know before diving into the world of SIEM and Sentinel.
SIEM – Security Information & Event Management, is a software solution that aggregates event logs with the objective of analysing, detecting, and responding to security threats. SIEM solutions will plug into a multitude of solutions and services (I.e., AD, Firewalls, Endpoints, Servers, M365).
SOC – Security Operations Center, is a centralised function within an organisation that protects the organisation from Cyber Threats. SOC is an amalgamation of people, processes, and technology. Typically, SOC teams will be the ones that utilise a SIEM to investigate and respond to security incidents.
SOAR – Security Orchestration, Automation and Response, refers to a combination services and tools that can automate the response to a cyber-attack. SOAR technology allows SOC teams to be more efficient by bolstering the capabilities of the SIEM solution.
Parsing – Parsing in the SIEM world refers to the process of normalising data from log sources and making sure they are compatible with the SIEM solution. Some log sources will need to be parsed before they are ingested to ensure that they are usable.
Syslog – Syslog is nothing new, it’s been around for years and used in a variety of ways. A syslog has the following structure: A Header, Structured Data (SD) and a message. There are 2 primary syslog formats that are used by SIEM solutions: CEF & LEEF.
CEF – Common Event Forwarding, is an open log management standard that improves the interoperability of security related events from different security solutions.
LEEF – Log Event Extended Format, is a custom format created by IBM. It differs from CEF as it has different fields.
CTI – Cyber Threat Intelligence, is data that is collected, processed, and analysed to understand the threat, the actor, the target, and attack behaviours. CTI is used by SOC Teams to enrich the information they have in the SIEM solution.
TAXII – Trusted Automated eXchange of Intelligence Information, is the format used for Threat Intelligence when its transmitted. SIEM solutions can ingest Threat Intelligence TAXII feeds to enrich data.
STIX – Structured Threat Information eXpression, is a standardised language for describing threat indicators, incidents, and breaches in a readable and consistent format. Most SIEM solutions will support STIX as the format to import Threat Intelligence feeds.
Each of these areas can be expanded on, so much so that they each deserve their own post! But for now, this should provide a high-level understanding of some of the terminology used in the world of SIEM.
Thank you for reading and I shall certainly be talking a lot more about the above in future blog posts!
Great post!
Thanks Stuart 🙂