How does SIEM logging work?

April 13, 2020 | Conrad Constantine

Author: Conrad Constantine

April 13, 2020 | Conrad Constantine

How does SIEM logging work?

Many companies approach achieving better security the way some people approach achieving better fitness. They spend a lot of money buying a Security Information and Event Management (SIEM) product, much like the way people will purchase an expensive health club membership. But if the company does not follow through and use the SIEM properly, they will fail. Same with people…

March 9, 2020 | Conrad Constantine

What to log in a SIEM: SIEM and security logging best practices explained

Security log management explained In Part 1 of this series, we discussed what a SIEM actually is. Now we are going to dive down into the essential underpinnings of a SIEM – the lowly, previously unappreciated, but critically important log files. This is a 3 part blog to help you understand SIEM fundamentals. It’s a big topic, so we broke…

Get the latest
security news
in your inbox.

Subscribe via email


March 25, 2014 | Conrad Constantine

Better than SIEM: Unified Security Management

In Part 1 of this series, we discussed what a SIEM actually is. In Part 2, we discussed what kind of logs you need for an effective SIEM implementation. So life should be grand, right? Nope, the big problem is that most systems’ log files don’t contain entries that say, “Help! Help! I’m being attacked!”…

December 23, 2013 | Conrad Constantine

How to Handle Your First Security Breach: Survival Tips

So you've finally accepted it's just a matter of time before you need to handle your first security breach; despite all the work you've put in to your monitoring and response program, the long hours chasing down those last unidentified systems on the network, the endless meetings with department stakeholders and the uncountable hours optimizing your SIEM'…

February 25, 2012 | Conrad Constantine

Got a Question for the labs guys? Come Heckle us at RSA Booth 717 and Bsides

So once  again, the time to drink from the firehouse is upon us: RSA Conference 2012 and BSides San Francisco are a few short days away. This year is looking like it will be an event on monstrous proportions: 2011 was an exceptionally busy year for things of significance in the Infosec world and there’s no shortage of hot topics to…

February 25, 2012 | Conrad Constantine

If It's Stupid and it works, It's not Stupid!

One of my favorite ways to explain threat-modelling to people outside the field,  starts with a little humor: A martial arts instructor is teaching a new class; wanting to impress them with his flashy techniques, he picks upon the frailest-looking new student and instructs them to attack him… ..the student, who has never been in an actual fight before, comes…

January 19, 2012 | Conrad Constantine

New Garage Tool: ClearCutter

I’ve just finished committing the first alpha release of ClearCutter to the Alienvault-Garage repository on GoogleCode. It’s a tool born of necessity, for anyone whose spent a good amount of time on those ‘SIEM pre-processing’ tasks, neck-deep in sed, grep,awk, uniq. Clearcutter (because it ‘clears a forest of logs’) is my work-in-progress combination tool for all those…

December 6, 2011 | Conrad Constantine

Easy entry to SIEM Correlation Rules with Policy Validation

“We’d love to do log correlation, but we just don’t know where to start!” If I had a dollar for every time I’ve heard this expressed, I’d ... have enough to buy everyone in the company a round of drinks.. Start with what you know For most organizations, the amount of…

December 6, 2011 | Conrad Constantine

SIEM for ITIL-Mature Incident Response (Part 2)

In between firefighting the crisis of the week, we hope you have time to read the latest in my series on the path to using SIEM as the foundation for building an Incident Response team that adds value to the enterprise outside of crisis times. Once I started on this document series it become obvious that it wasn’t…

November 28, 2011 | Conrad Constantine

SIEM for ITIL-Mature Incident Response (Part 1)

Incident Response is a field stuck in perpetual-firefighting mode, when it exists at all as a formalized unit. Yet as major breaches continue to happen, Incident Response proves to be possibly the most essential part of any Enterprise Security Program; in the words of Bruce Schneier: “You can’t defend. You can’t prevent. The only thing…

November 23, 2011 | Conrad Constantine

8 Years of OSSIM

We love data visualization, it’s true, and Information Security is always in need of new ways to adapt visualization techniques to mining through event data. This is a particular visualization engine I’ve been looking at lately to adapt for replaying complex timelines (e.g. replays of Breach evidence)… but out of the box, it does…