pub enum SiemEvent {
Show 18 variants
Firewall(FirewallEvent),
Intrusion(IntrusionEvent),
Assessment,
WebProxy(WebProxyEvent),
WebServer(WebServerEvent),
Sandbox,
Antivirus,
DLP,
Partitioned,
EDR,
Mail,
DNS(DnsEvent),
DHCP(DhcpEvent),
Auth(AuthEvent),
Endpoint,
Json(Value),
Unknown,
Artifacts,
}
Variants
Firewall(FirewallEvent)
Firewall events: connections between IPs, blocked connections…
Intrusion(IntrusionEvent)
Intrusion detection/protection systems. Ex: Suricata, Snort, OSSEC, Wazuh, NGFW…
Assessment
Security related assessment, like the output of vulnerability scanners (Nessus) or policy enforcers (OpenSCAP). PulseSecure and Forescout can also get in this category.
WebProxy(WebProxyEvent)
Web Browsing Proxy
WebServer(WebServerEvent)
Web application servers, Adaptative Distribution Content or LoadBalancers for HTTP traffic.
Ex: Apache, Nginx, Tomact or IIS.
Sandbox
Like an antivirus, a Sandbox retrieves information about a file being malicious or not. Can be used to extract filenames, hashes or other relevant information to update a dataset of known hashes and trigger queries.
Ex: Wildfire, Mcafee ATD, Cuckoo…
Antivirus
DLP
Data Loss Prevention are devices that detect anomalous behavour related to data exfiltration.
Ex: Boldon
Partitioned
Some devices like email gateways generates a large number of logs when an email arrives: Header processing, AV scan, attachment information… In those cases, each log is associated with an action using a trace ID or a transaction ID.
EDR
Endpoint Detection and Response devices, also EPP.
Mail
Mail events, as the name suggest are events generated by an email gateway. Can contain threat related information if an anomaly was detected. Note that some devices generate partitioned logs instead of Mail logs.
Ex: Microsoft Exchange, IronPort, Office 365…
DNS(DnsEvent)
DNS requests events. To better correlate this type of events, be carefull of checking if it contains a dns_server tag, because that means that the originator of the request is a Recursive DNS and not an endpoint. It normally happens if the one generating the log was a firewall (Ex: Palo Alto) and not a DNS server, or if multiple DNS are used in the organization, like a DNS talking to another DNS.
DHCP(DhcpEvent)
DHCP logs associating an IP with a MAC address.
Auth(AuthEvent)
Logs related to authentication, like a user trying to log in to a Router, a server or any kind of system.
Ex: RDP, Windows, Linux, Mailbox login…
Endpoint
Local events related to servers or workstations, like OS failed to update, antivirus outdated, log file cleaned, user or group changes (Including global or universal domain events). Also events related to network devices: Changes in routing policys, Firewall rules, Shutdown out of mantaince
Json(Value)
Unknown
Artifacts
Forensic artifacts from custom parsers
Trait Implementations
Auto Trait Implementations
impl RefUnwindSafe for SiemEvent
impl Send for SiemEvent
impl Sync for SiemEvent
impl Unpin for SiemEvent
impl UnwindSafe for SiemEvent
Blanket Implementations
sourceimpl<T> BorrowMut<T> for T where
T: ?Sized,
impl<T> BorrowMut<T> for T where
T: ?Sized,
const: unstable · sourcefn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
sourceimpl<T> ToOwned for T where
T: Clone,
impl<T> ToOwned for T where
T: Clone,
type Owned = T
type Owned = T
The resulting type after obtaining ownership.
sourcefn clone_into(&self, target: &mut T)
fn clone_into(&self, target: &mut T)
toowned_clone_into
)Uses borrowed data to replace owned data, usually by cloning. Read more