Enum usiem::events::SiemEvent [−][src]
Variants
Firewall(FirewallEvent)
Firewall events: connections between IPs, blocked connections…
Intrusion(IntrusionEvent)
Intrusion detection/protection systems. Ex: Suricata, Snort, OSSEC, Wazuh, NGFW…
Security related assessment, like the output of vulnerability scanners (Nessus) or policy enforcers (OpenSCAP)
WebProxy(WebProxyEvent)
Web Browsing Proxy
WebServer(WebServerEvent)
Web application servers, Adaptative Distribution Content or LoadBalancers for HTTP traffic.
Ex: Apache, Nginx, Tomact or IIS.
Like an antivirus, a Sandbox retrieves information about a file being malicious or not. Can be used to extract filenames, hashes or other relevant information to update a dataset of known hashes and trigger queries.
Ex: Wildfire, Mcafee ATD, Cuckoo…
Data Loss Prevention are devices that detect anomalous behavour related to data exfiltration.
Ex: CloudSOC
Some devices like email gateways generates a large number of logs when an email arrives: Header processing, AV scan, attachment information… In those cases, each log is associated with an action using a trace ID or a transaction ID.
Endpoint Detection and Response devices, also EPP.
Mail events, as the name suggest are events generated by an email gateway. Can contain threat related information if an anomaly was detected. Note that some devices generate partitioned logs instead of Mail logs.
Ex: Microsoft Exchange, IronPort, Office 365…
DNS(DnsEvent)
DNS requests events. To better correlate this type of events, be carefull of checking if it contains a dns_server tag, because that means that the originator of the request is a Recursive DNS and not an endpoint. It normally happens if the one generating the log was a firewall (Ex: Palo Alto) and not a DNS server, or if multiple DNS are used in the organization, like a DNS talking to another DNS.
DHCP logs associating an IP with a MAC address.
Auth(AuthEvent)
Logs related to authentication, like a user trying to log in to a Router, a server or any kind of system.
Ex: RDP, Windows, Linux, Mailbox login…
Local events related to servers or workstations, like OS failed to update, antivirus outdated, log file cleaned, user or group changes (Including global or universal domain events). Also events related to network devices: Changes in routing policys, Firewall rules, Shutdown out of mantaince
Json(Value)
Forensic artifacts from custom parsers
Trait Implementations
Auto Trait Implementations
impl RefUnwindSafe for SiemEvent
impl Send for SiemEvent
impl Sync for SiemEvent
impl Unpin for SiemEvent
impl UnwindSafe for SiemEvent
Blanket Implementations
impl<T> Any for T where
T: 'static + ?Sized,
[src]
T: 'static + ?Sized,
impl<T> Borrow<T> for T where
T: ?Sized,
[src]
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
[src]
T: ?Sized,
pub fn borrow_mut(&mut self) -> &mut T
[src]
impl<T> From<T> for T
[src]
impl<T, U> Into<U> for T where
U: From<T>,
[src]
U: From<T>,
impl<T, U> TryFrom<U> for T where
U: Into<T>,
[src]
U: Into<T>,
type Error = Infallible
The type returned in the event of a conversion error.
pub fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>
[src]
impl<T, U> TryInto<U> for T where
U: TryFrom<T>,
[src]
U: TryFrom<T>,