Configuring your SIEM Flashcards
The first step in SIEM deployment to ensure it receives relevant event data.
Log source integration
A method to reduce noise by filtering out non-security-related logs.
Log filtering
The process of converting raw log data into a consistent format for analysis.
Normalization
The process of interpreting raw logs into labeled fields like IP, port, and action.
Log parsing
A data source commonly integrated with SIEM for detecting external threats.
Firewall logs
A log source that helps detect local user actions and system changes.
Endpoint logs
A process that associates logs from different systems into a unified view.
Correlation
Rules that trigger alerts when specific patterns or behaviors are detected.
SIEM detection rules
An alert configuration that matches known bad indicators like IPs or hashes.
IOC-based rule
An alert triggered by unusual behavior compared to historical data.
Anomaly-based alert
A scheduled review and adjustment of detection logic to reduce false positives.
SIEM tuning
The part of SIEM responsible for storing, indexing, and retrieving historical data.
Log storage and retention
A performance consideration when choosing how long to keep logs searchable.
Data retention policy
A process to ensure incoming logs are trusted and haven’t been modified.
Log integrity validation
The process of combining logs, alerts, and context into a single view of an incident.
Event correlation
A common log protocol used to send data to a SIEM over UDP or TCP.
Syslog
A SIEM feature that allows teams to track and manage the investigation process.
Case management or incident tracking
Using thresholds to trigger alerts, such as “5 failed logins in 1 minute.”
Threshold-based detection
A SIEM configuration that aggregates data from cloud platforms like AWS or Azure.
Cloud log integration
The action of creating custom rules tailored to the organization’s unique environment.
Rule customization
