Security Operations is typically housed within a SOC (Security Operations Center), and the terms are often used interchangeably. The primary responsibility of the SOC is to detect threats within the environment and prevent them from escalating into costly issues.
Most systems generate logs that often contain crucial security information.
An event refers to observations derived from logs and network data, such as:
The SIEM processes alerts from various sensors and monitors within the network, generating important alerts for the SOC. It can also correlate multiple events to refine alert accuracy.
SIEM systems typically enable the analysis of events from the following areas:
Network events are the most common but provide minimal context, showing only who is communicating, where, and when, without explaining the details.
Host events offer better insights into user actions and affected users, with reduced encryption issues that improve visibility into host activities. Many SIEMs leverage detailed information from host events rather than just network data.
