Enum usiem::events::SiemEvent

pub enum SiemEvent {
    Firewall(FirewallEvent),
    Intrusion(IntrusionEvent),
    Assessment,
    WebProxy(WebProxyEvent),
    WebServer(WebServerEvent),
    Sandbox,
    Antivirus,
    DLP,
    Partitioned,
    EDR,
    Mail,
    DNS(DnsEvent),
    DHCP(DhcpEvent),
    Auth(AuthEvent),
    Endpoint,
    Json(Value),
    Unknown,
    Artifacts,
}

Variants

Firewall(FirewallEvent)

Firewall events: connections between IPs, blocked connections…

Tuple Fields of Firewall

0: FirewallEvent

Intrusion(IntrusionEvent)

Intrusion detection/protection systems. Ex: Suricata, Snort, OSSEC, Wazuh, NGFW…

Tuple Fields of Intrusion

0: IntrusionEvent

Assessment

Security related assessment, like the output of vulnerability scanners (Nessus) or policy enforcers (OpenSCAP). PulseSecure and Forescout can also get in this category.

WebProxy(WebProxyEvent)

Web Browsing Proxy

Tuple Fields of WebProxy

0: WebProxyEvent

WebServer(WebServerEvent)

Web application servers, Adaptative Distribution Content or LoadBalancers for HTTP traffic.

Ex: Apache, Nginx, Tomact or IIS.

Tuple Fields of WebServer

0: WebServerEvent

Sandbox

Like an antivirus, a Sandbox retrieves information about a file being malicious or not. Can be used to extract filenames, hashes or other relevant information to update a dataset of known hashes and trigger queries.

Ex: Wildfire, Mcafee ATD, Cuckoo…

Antivirus

DLP

Data Loss Prevention are devices that detect anomalous behavour related to data exfiltration.

Ex: Boldon

Partitioned

Some devices like email gateways generates a large number of logs when an email arrives: Header processing, AV scan, attachment information… In those cases, each log is associated with an action using a trace ID or a transaction ID.

EDR

Endpoint Detection and Response devices, also EPP.

Mail

Mail events, as the name suggest are events generated by an email gateway. Can contain threat related information if an anomaly was detected. Note that some devices generate partitioned logs instead of Mail logs.

Ex: Microsoft Exchange, IronPort, Office 365…

DNS(DnsEvent)

DNS requests events. To better correlate this type of events, be carefull of checking if it contains a dns_server tag, because that means that the originator of the request is a Recursive DNS and not an endpoint. It normally happens if the one generating the log was a firewall (Ex: Palo Alto) and not a DNS server, or if multiple DNS are used in the organization, like a DNS talking to another DNS.

Tuple Fields of DNS

0: DnsEvent

DHCP(DhcpEvent)

DHCP logs associating an IP with a MAC address.

Tuple Fields of DHCP

0: DhcpEvent

Auth(AuthEvent)

Logs related to authentication, like a user trying to log in to a Router, a server or any kind of system.

Ex: RDP, Windows, Linux, Mailbox login…

Tuple Fields of Auth

0: AuthEvent

Endpoint

Local events related to servers or workstations, like OS failed to update, antivirus outdated, log file cleaned, user or group changes (Including global or universal domain events). Also events related to network devices: Changes in routing policys, Firewall rules, Shutdown out of mantaince

Json(Value)

Tuple Fields of Json

0: Value

Unknown

Artifacts

Forensic artifacts from custom parsers

Trait Implementations

impl Clone for SiemEvent

fn clone(&self) -> SiemEvent

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SiemEvent

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Serialize for SiemEvent

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error> where
    __S: Serializer, 

Serialize this value into the given Serde serializer.