Security Information and Event Management (SIEM) platforms are essential for detecting, analyzing, and responding to cybersecurity threats in real time.
However, the effectiveness of a SIEM system depends heavily on the quality and prioritization of logs ingested.
This article explores best practices for SIEM log ingestion, technical considerations, and provides a reference table of high-priority log sources and event codes for practitioners.
Understanding SIEM Log Ingestion
The Role of Log Ingestion in SIEM
SIEM log ingestion is the process of collecting, centralizing, and storing log data from diverse sources, such as endpoints, network devices, cloud platforms, and applications—into a SIEM platform for analysis and threat detection.
The process involves both agent-based and agentless methods, with protocols like Syslog commonly used for standardized log transmission.
Key Challenges
- Volume and Noise: Organizations generate vast quantities of logs, leading to potential log overload. Filtering out low-priority or irrelevant logs is crucial to avoid overwhelming analysts and to focus on actionable security events.
- Compatibility: Different systems produce logs in various formats. Ensuring compatibility and normalization is vital for efficient analysis.
- Prioritization: Not all logs are equally valuable for security monitoring. Prioritizing critical log sources and event types improves detection and response effectiveness.
Prioritizing Log Sources:
Risk-Based Approach
Organizations should tailor their SIEM log ingestion strategy to their unique risk profile, regulatory requirements, and operational environment.
The following log sources are typically prioritized for ingestion due to their high analytical value and relevance to threat detection:
- Endpoint Detection and Response (EDR) logs
- Network device logs (firewalls, routers, switches)
- Active Directory/Domain Controller logs
- Cloud platform logs (AWS, Azure, GCP)
- Application and database logs
- Operating system logs (Windows, Linux, macOS)
- Authentication and access control events
Example: Windows Event IDs
Critical Windows Event IDs for SIEM include:
- 4624: Successful logon
- 4625: Failed logon
- 4688: Process creation
- 4672: Special privileges assigned
- 1102: Audit log cleared
These events are vital for detecting unauthorized access, privilege escalation, and potential log tampering.
Technical Implementation:
Instrumenting Applications for Security Events
Applications can be instrumented to emit security-relevant events directly to the SIEM. For example, in Node.js:
javascriptfunction logSecurityEvent(eventType, details) {
const event = {
timestamp: new Date().toISOString(),
service: process.env.SERVICE_NAME,
event_type: eventType,
environment: process.env.ENVIRONMENT,
host: os.hostname(),
...details
};
console.log(JSON.stringify(event));
if (process.env.SIEM_ENDPOINT) {
axios.post(process.env.SIEM_ENDPOINT, event)
.catch(err => console.error('Failed to send to SIEM:', err));
}
}
This approach ensures consistent, contextualized logging of both successful and failed authentication attempts, supporting robust threat detection.
Querying SIEM Data
For platforms like IBM QRadar, practitioners can run AQL queries to extract relevant events:
sqlSELECT qidname(qid) AS 'Event', username AS 'Username', devicetime AS 'Time'
FROM events
WHERE 'high-level category ID' AND 'low-level category ID'
AND LOGSOURCENAME(logsourceid) LIKE "%Low-level category name%"
LAST 3 DAYS
This enables targeted analysis of specific event categories, such as authentication failures or privilege use.
High-Priority Log Sources and Event Codes
| Log Source | Example Event/Field | Description/Code |
|---|---|---|
| Windows Security Logs | Successful Logon | Event ID 4624 |
| Failed Logon | Event ID 4625 | |
| Process Creation | Event ID 4688 | |
| Audit Log Cleared | Event ID 1102 | |
| Network Device Logs | Firewall Deny/Allow | Action, Source IP, Dest IP, Protocol |
| VPN Connection/Disconnection | Event Type, User ID, Public IP | |
| Cloud Platform Logs | AWS CloudTrail Event | All (e.g., GetObject, RunInstances) |
| Azure Unified Audit Log | All | |
| Active Directory Logs | User Account Created/Changed | Event IDs 4720, 4738 |
| Privilege Use | Event ID 4672 | |
| Application Logs | Authentication Success/Failure | Custom fields (user_id, source_ip) |
| Database Logs | Query Execution | Query, User, Time |
Effective SIEM log ingestion hinges on prioritizing high-value log sources, filtering out noise, and ensuring compatibility across diverse systems.
By focusing on critical event categories and leveraging standardized log formats and technical instrumentation, organizations can enhance their threat detection and incident response capabilities—making SIEM a cornerstone of modern cybersecurity operations.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
