Data Sources
Last updated
Last updated
In the this section, users have the capability to configure and manipulate various data sources, which generate information in the form of events. These data are captured by the Security Information and Event Management (SIEM). Once collected, they are processed and analyzed to determine whether they constitute a security incident or not. This decision depends on the analysis conducted by the alert handling engine, which is configurable to meet specific criteria.
Users can view a paginated list of all created data sources. This screen provides the functionality to filter data sources based on their status, whether active or inactive. This initial dashboard is designed to facilitate the administration of data sources, allowing users to change the status, edit the settings of a specific data source, or delete it with just a few clicks.
Data Source is any location, system, or device where data is generated or stored. This includes servers, network devices, applications, databases, file systems, and even cloud services. It is used as feeding security tools and systems with real-time or near-real-time information. This includes Intrusion Detection and Prevention Systems (IDS/IPS), Security Information and Event Management (SIEM) systems, and network behavior analysis solutions.
When creating a data source, it's essential to provide a name and description.
It is possible to associate patterns of events (event types) detected in a data source, which share a history or similar behavior, with the goal of identifying and mapping anomalies. These patterns will serve as a reference in the development of correlation rules. This significantly enhances the efficiency of processing and uniformity in incident generation, contributing to a quicker and more accurate response to potential threats.
Event Type is a classification used to describe the nature of an event detected by data sources. Help security analysts understand what happened, why it happened, and how it should be addressed. It can be classified into various categories, such as unauthorized access attempts, system failures, configuration changes, suspicious network activities, application errors, and others. Each category represents a distinct event type with specific implications for security.
It functions as a repository containing files used to ensure normalization and standardization among clients during the implementation of the SIEM, which will be involved in processing correlation rules. It is possible to load files in .xml, .config, or .json formats. Additionally, the system allows for the consultation of previously modified versions of these configuration files, facilitating the management of changes over time.