What is SIEM

Security Information and event Management system

It is a tool that collects data from various endpoints/network devices across the network, stores them at a centralized place, and performs correlation on them.

We can divide our network log sources into two logical parts(like windows-sysmon): Host-Centric Log Sources and Network-Centric Log Sources

Security information and event management tools

1- ArcSight

2- IBM QRadar

3- Splunk

How to Detect an Event in SIEM?

Detection of an event in SIEM is typically accomplished through a combination of the following steps:

• Data Collection: SIEM products collect security events from different sources in your network (firewalls, gateways, servers, databases, etc.). These events are recorded in a central database in formats that can be analyzed by the SIEM system.
• Creating Rules for Events: SIEM products create rules for security events that need to be detected. These rules are designed to detect an event if certain conditions are met. For example, a set of rules can detect an incident if a user accesses multiple devices simultaneously or if a user’s credentials are entered incorrectly.
• Analysis of Events: SIEM products analyze security events that occur on your network using collected data and rules. SIEM detects potentially harmful events and determines the severity of these events. At this stage, human intervention may also be required to decide whether an event is a real threat.
• Alarm Creation: When a security incident is detected, SIEM creates an alarm to alert appropriate personnel. This allows security administrators to respond to security incidents faster.
• Reporting: SIEM helps security administrators better understand the security status of the network by presenting security events in detailed reports. These reports can be used to identify vulnerabilities, analyze risks, and monitor compliance with compliance requirements.

Benefit of using a SIEM

SIEM tools offer many benefits that can help strengthen an organization’s overall security posture, including:

• A central view of potential threats
• Real-time threat identification and response
• Advanced threat intelligence
• Regulatory compliance auditing and reporting
• Greater transparency monitoring users, applications, and devices

In SIEM, “correlation” is determining whether an event or activity occurring on the network is linked to a larger security threat by combining and analyzing different security events.

When you want to create an SIEM you have to follow this steps

FIRST : https://docs.datadoghq.com/developers/integrations/agent_integration/?tab=buildanoutoftheboxintegration

THEN: https://docs.datadoghq.com/developers/integrations/create-a-cloud-siem-detection-rule/#

What is EVENT ID ?

Event identifiers uniquely identify a particular event. Each event source can define its own numbered events and the description strings to which they are mapped in its message file. Event viewers can present these strings to the user.

For learn format here.

And you can access all Event ID at here.