A security information and event management (SIEM) system is an indispensable tool for any security operations center (SOC). It collects events from devices in your network infrastructure such as servers, cloud devices, firewalls and Wi-Fi access points to give operations professionals fine-grained visibility into activity on the network and help them spot anomalies that may signal a cyberattack.
In its raw form, this log data is almost impossible for a human to process, so advanced SIEM solutions conduct a process called taxonomy analysis to deliver a homogeneous view. Taxonomy consists of data mining of a raw event into human understandable format that are relevant to security administrators. This is a crucial step in the process of finding meaning in often isolated and heterogeneous events.
Visualize Your Network Activity
There are thousands of vendors and models of devices and software that an organization may want to monitor. Taxonomy is not just important, but also very crucial. because taxonomy is “human understandable” form of log activities from those devices and softwares.
If you have “Authentication.Failed” and “Authenticaiton.Success” taxonomies on your SIEM, all authentication failure logs from all log types(systems) should be normalized as “Authentication.Failed” and authentication success logs as “Authenticaiton.Success”.
In other words, when you search “Authentication.Failed” normalized logs on your SIEM, you must see all authentication failure logs from all different sources like firewalls, servers, databases, switches, OSs etc.
If your SIEM normalize the logs in this way, you can write correlation rule with only taxonomy values. Otherwise, you should struggle with a lot of ‘log id’s, messages, keywords etc.
Behold the Power of Taxonomy
To give you a sense of the power of taxonomy, here’s an example of a raw log from a firewall:
“date=DATE time=TIME devname=FGT100D devid=FG100D3G13809338 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=”root” severity=high srcip=SRC dstip=DST srcintf=”PUBLIC” dstintf=”INTERNAL” policyid=183 identidx=0 sessionid=105176668 status=detected proto=6 service=http count=1 attackname=”HTTP.URI.SQL.Injection” srcport=SRC_PORT dstport=80 attackid=15621 sensor=”default” ref=”http://www.fortinet.com/ids/VID15621" incidentserialno=1362017780 msg=”web_misc: HTTP.URI.SQL.Injection,””
As a security administrator the question is why this log created/produced by the firewall? and the answer is given by Taxonomy. In SureLog SIEM the answer is “ Malicious.Web.SQL”