The primary benefit of a SIEM system to any organization, is the fact it immensely increases the effectiveness of incident response teams. The early detection of occurrences is a key factor for incident containment and eradication, which means a reduced overall impact.
This article may interest you
Since SIEMs can correlate events from different data nodesand devices, this allows for detecting incidents that would otherwise be completely missed. For example, a network intrusion prevention system can usually only see a part of an attack, while the affected host (e.g., a notebook or a server) can see the other part. A SIEM sees the bigger picture by combining logs from both devices, thus making it possible to have a complete picture of the incident.
“A SIEM’s power is in its correlation”
Microsoft Windows® Active Directory’s best practices consider different signs to identify and evaluate a compromised computer system by correlation, through a proper configuration of Windows auditing settings. These signs can help to detect a malicious activity in a computer system early and timely. The following security events can be considered as part of the correlation to detect possible signs of computer system intrusion within Windows® operating system.
1- Two attempts to login as the User were executed.
2) User session started successfully.
3) Special privileges were assigned to User’s account.
4) A new user account was created, named “Jame”.
5) A global group with security-disabled settings was created.
6) An explorer process has been created.
7) An attempt to unregister a security event source was executed.
8) Jame’s account was enabled.
9) The auditing settings on access-control object were changed.
10) Peter´s account session was closed
The content has been sourced from