Enum usiem::events::SiemEvent [−][src]
pub enum SiemEvent {
Show 18 variants
Firewall(FirewallEvent),
Intrusion(IntrusionEvent),
Assessment,
WebProxy(WebProxyEvent),
WebServer(WebServerEvent),
Sandbox,
Antivirus,
DLP,
Partitioned,
EDR,
Mail,
DNS(DnsEvent),
DHCP(DhcpEvent),
Auth(AuthEvent),
Endpoint,
Json(Value),
Unknown,
Artifacts,
}
Variants
Firewall(FirewallEvent)
Firewall events: connections between IPs, blocked connections…
Tuple Fields of Firewall
Intrusion(IntrusionEvent)
Intrusion detection/protection systems. Ex: Suricata, Snort, OSSEC, Wazuh, NGFW…
Tuple Fields of Intrusion
Security related assessment, like the output of vulnerability scanners (Nessus) or policy enforcers (OpenSCAP). PulseSecure and Forescout can also get in this category.
WebProxy(WebProxyEvent)
Web Browsing Proxy
Tuple Fields of WebProxy
WebServer(WebServerEvent)
Web application servers, Adaptative Distribution Content or LoadBalancers for HTTP traffic.
Ex: Apache, Nginx, Tomact or IIS.
Tuple Fields of WebServer
Like an antivirus, a Sandbox retrieves information about a file being malicious or not. Can be used to extract filenames, hashes or other relevant information to update a dataset of known hashes and trigger queries.
Ex: Wildfire, Mcafee ATD, Cuckoo…
Data Loss Prevention are devices that detect anomalous behavour related to data exfiltration.
Ex: Boldon
Some devices like email gateways generates a large number of logs when an email arrives: Header processing, AV scan, attachment information… In those cases, each log is associated with an action using a trace ID or a transaction ID.
Endpoint Detection and Response devices, also EPP.
Mail events, as the name suggest are events generated by an email gateway. Can contain threat related information if an anomaly was detected. Note that some devices generate partitioned logs instead of Mail logs.
Ex: Microsoft Exchange, IronPort, Office 365…
DNS(DnsEvent)
DNS requests events. To better correlate this type of events, be carefull of checking if it contains a dns_server tag, because that means that the originator of the request is a Recursive DNS and not an endpoint. It normally happens if the one generating the log was a firewall (Ex: Palo Alto) and not a DNS server, or if multiple DNS are used in the organization, like a DNS talking to another DNS.
Tuple Fields of DNS
0: DnsEvent
DHCP(DhcpEvent)
DHCP logs associating an IP with a MAC address.
Tuple Fields of DHCP
0: DhcpEvent
Auth(AuthEvent)
Logs related to authentication, like a user trying to log in to a Router, a server or any kind of system.
Ex: RDP, Windows, Linux, Mailbox login…
Tuple Fields of Auth
0: AuthEvent
Local events related to servers or workstations, like OS failed to update, antivirus outdated, log file cleaned, user or group changes (Including global or universal domain events). Also events related to network devices: Changes in routing policys, Firewall rules, Shutdown out of mantaince
Json(Value)
Tuple Fields of Json
0: Value
Forensic artifacts from custom parsers
Trait Implementations
Auto Trait Implementations
impl RefUnwindSafe for SiemEvent
impl UnwindSafe for SiemEvent
Blanket Implementations
Mutably borrows from an owned value. Read more