SO >= SIEM? #9722
-
|
It might be a stupid question but I'm confused. I read stuff like "Security Onion is not a SIEM" or "Security Onion as a SIEM". What is the difference between SO and a generic SIEM, like what would you need to add/change/remove in SO for it to become/work as a SIEM? I'm planing on setting up a small Security Operations Center based on SO and I'm trying to work out if there's something that I'm missing/misunderstanding regarding the function of SO. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Often, a generic SIEM will have some capabilities that aren't available in SO -- for example, a built-in asset inventory module or an integration with vulnerability scanners to adjust the severity of alerts. SO is optimized more around monitoring and active investigation. Also, SIEMs generally make it easier to write detections across different datasets (ie "If you see this malicious traffic followed by this response and if the server is running Linux and if the web server on it is Apache, raise an alert"). |
Beta Was this translation helpful? Give feedback.
Often, a generic SIEM will have some capabilities that aren't available in SO -- for example, a built-in asset inventory module or an integration with vulnerability scanners to adjust the severity of alerts. SO is optimized more around monitoring and active investigation. Also, SIEMs generally make it easier to write detections across different datasets (ie "If you see this malicious traffic followed by this response and if the server is running Linux and if the web server on it is Apache, raise an alert").