SIEM Terms and Definitions
- Written by: Colton Bachman
Security information and event management (SIEM) is a powerful tool that provides a holistic view into an organization’s technology security. To help you better understand SIEM and some of the most commonly used terms, we have provided the following list of definitions.
Device – Generic term for server, firewall, switch, workstation, etc. The term “network device” can refer to devices that interconnect the network, such as firewalls, routers, and switches, but does not refer to servers or workstations.
CMDB – Configuration Management Database. The CMDB lists all the devices that are reporting logs to the SIEM. Each device in the CMDB displays the health of the device along with the current events per second (EPS). Devices with SNMP or WMI configured can also display numerous performance metrics.
SNMP – Stands for Simple Network Management Protocol and allows the SIEM to pull performance metrics from SNMP enabled devices.
WMI – Windows Management Instrumentation is another service that allows the SIEM to pull performance metrics. Only works on Windows devices.
Performance metrics – Devices configured with SNMP or WMI display various metrics, such as memory utilization, installed software, and uptime. Having SNMP enabled also allows the SIEM to pull metrics such as interface utilization, running software, and hardware information.
Syslog – Logging standard that allows devices to send their event logs to a logging server.
Event – An event is one entry of the log file that a device sends to the SIEM. A logon failure or a denied connection are examples of events.
Rule – The SIEM parses out attributes from events and correlates the logs with other devices on the SIEM. The logs are run against rules, which look for a pattern of events matching specified criteria. When a pattern is discovered, an incident is triggered.
Incident – An incident is a unique instance of a rule. Incidents provide the definition of the rule and the events that triggered the rule.
Ticket – Incidents create tickets, which enable analysts to review incident information. Once reviewed, analyst are able to make a decision whether or not a customer needs alerted.
Exception – An exception adds a condition to a rule to prevent it from triggering when specific conditions are met. For instance, a vulnerability scanner that runs regularly would generate an excessive amount of tickets even though the traffic is legitimate. An exception would be added to reduce the rate of false positives created by the vulnerability scanner.
False positive – A false positive is when a rule triggers that doesn’t represent a true security incident. See for a more in depth look at false positives.
EPS – Events per second that a device sends to the SIEM. Changes in EPS may indicate that a device needs to be checked for configuration or security issues.
Deny/exclude list – A list of hostnames, IPs, etc. that are blocked from network access. Typically, IPs are excluded to prevent users from accessing malicious websites or to prevent known malicious IPs from connecting to the network.
Allow list – The opposite of a deny/exclude list. Instead of blocking certain IPs, it allows access from specified IPs and blocks all others.
STM – Synthetic Transaction Monitoring (STM) monitors the availability of certain services, such as email servers or websites.
Discovery – A discovery is a process that searches for devices on the network. It attempts to resolve a host name and uses configured credentials to initialize monitoring for certain protocols.
Still have more questions? If so, contact us, and we will help answer them.