Enum usiem::events::SiemEvent[][src]

pub enum SiemEvent {
    Firewall(FirewallEvent),
    Intrusion(IntrusionEvent),
    Assessment,
    WebProxy(WebProxyEvent),
    WebServer(WebServerEvent),
    Sandbox,
    Antivirus,
    DLP,
    Partitioned,
    EDR,
    Mail,
    DNS(DnsEvent),
    DHCP,
    Auth(AuthEvent),
    Endpoint,
    Json(Value),
    Unknown,
    Artifacts,
}

Variants

Firewall(FirewallEvent)

Firewall events: connections between IPs, blocked connections…

Intrusion(IntrusionEvent)

Intrusion detection/protection systems. Ex: Suricata, Snort, OSSEC, Wazuh, NGFW…

Assessment

Security related assessment, like the output of vulnerability scanners (Nessus) or policy enforcers (OpenSCAP)

WebProxy(WebProxyEvent)

Web Browsing Proxy

WebServer(WebServerEvent)

Web application servers, Adaptative Distribution Content or LoadBalancers for HTTP traffic.

Ex: Apache, Nginx, Tomact or IIS.

Sandbox

Like an antivirus, a Sandbox retrieves information about a file being malicious or not. Can be used to extract filenames, hashes or other relevant information to update a dataset of known hashes and trigger queries.

Ex: Wildfire, Mcafee ATD, Cuckoo…

Antivirus
DLP

Data Loss Prevention are devices that detect anomalous behavour related to data exfiltration.

Ex: CloudSOC

Partitioned

Some devices like email gateways generates a large number of logs when an email arrives: Header processing, AV scan, attachment information… In those cases, each log is associated with an action using a trace ID or a transaction ID.

EDR

Endpoint Detection and Response devices, also EPP.

Mail

Mail events, as the name suggest are events generated by an email gateway. Can contain threat related information if an anomaly was detected. Note that some devices generate partitioned logs instead of Mail logs.

Ex: Microsoft Exchange, IronPort, Office 365…

DNS requests events. To better correlate this type of events, be carefull of checking if it contains a dns_server tag, because that means that the originator of the request is a Recursive DNS and not an endpoint. It normally happens if the one generating the log was a firewall (Ex: Palo Alto) and not a DNS server, or if multiple DNS are used in the organization, like a DNS talking to another DNS.

DHCP

DHCP logs associating an IP with a MAC address.

Auth(AuthEvent)

Logs related to authentication, like a user trying to log in to a Router, a server or any kind of system.

Ex: RDP, Windows, Linux, Mailbox login…

Endpoint

Local events related to servers or workstations, like OS failed to update, antivirus outdated, log file cleaned, user or group changes (Including global or universal domain events). Also events related to network devices: Changes in routing policys, Firewall rules, Shutdown out of mantaince

Json(Value)
Unknown
Artifacts

Forensic artifacts from custom parsers

Trait Implementations

impl Debug for SiemEvent[src]

impl Serialize for SiemEvent[src]

Auto Trait Implementations

Blanket Implementations

impl<T> Any for T where
    T: 'static + ?Sized[src]

impl<T> Borrow<T> for T where
    T: ?Sized[src]

impl<T> BorrowMut<T> for T where
    T: ?Sized[src]

impl<T> From<T> for T[src]

impl<T, U> Into<U> for T where
    U: From<T>, [src]

impl<T, U> TryFrom<U> for T where
    U: Into<T>, [src]

type Error = Infallible

The type returned in the event of a conversion error.

impl<T, U> TryInto<U> for T where
    U: TryFrom<T>, [src]

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.