The primary benefit of a SIEM system to any organization, is the fact it immensely increases the effectiveness of incident response teams. The early detection of occurrences is a key factor for incident containment and eradication, which means a reduced overall impact.
Since SIEMs can correlate events from different data nodesand devices, this allows for detecting incidents that would otherwise be completely missed. For example, a network intrusion prevention system can usually only see a part of an attack, while the affected host (e.g., a notebook or a server) can see the other part. A SIEM sees the bigger picture by combining logs from both devices, thus making it possible to have a complete picture of the incident.
“A SIEM’s power is in its correlation”
Microsoft Windows® Active Directory’s best practices consider different signs to identify and evaluate a compromised computer system by correlation, through a proper configuration of Windows auditing settings. These signs can help to detect a malicious activity in a computer system early and timely. The following security events can be considered as part of the correlation to detect possible signs of computer system intrusion within Windows® operating system.
1- Two attempts to login as the User were executed.
2) User session started successfully.
3) Special privileges were assigned to User’s account.
4) A new user account was created, named “Jame”.
5) A global group with security-disabled settings was created.
6) An explorer process has been created.
7) An attempt to unregister a security event source was executed.
8) Jame’s account was enabled.
9) The auditing settings on access-control object were changed.
10) Peter´s account session was closed