TEAM: Huntress Managed Security Information and Event Management (Managed SIEM)
ENVIRONMENT: Local syslog, HEC, API, or OS logs
SUMMARY: What is SIEM? How is Huntress Managed SIEM different? What is the difference between the source types? Where does SIEM fit in Huntress realm of products?
Huntress Managed SIEM Overview
Security Information and Event Management (SIEM) is a product that collects data from various sources and consolidates this information to provide a detailed record of past events. These past events provide security teams with information they need for compliance, security posture improvement, and to detect and respond to threats. Huntress Managed SIEM (Security Information and Event Management) goes beyond traditional SIEM by reviewing SIEM data with our 24/7 SOC team to respond to threats, eliminating the need for an onsite team to review SIEM data.
Huntress Managed SIEM also leverages our experience in threat response and detection to intelligently filter out noise and retain only the security-relevant data, thus reducing the cost, time to resolution, and complexity of dealing with large amounts of data (more about Smart Filters here). We work with major cybersecurity insurance companies and governing bodies to ensure Huntress Smart Filter data is fully compliant with insurance companies requirements and regulatory bodies.
Why Huntress Managed SIEM
- SIEM data is intelligently filtered to only store data that is needed for compliance and incident response, saving you money.
- Huntress Smart Filter reduces noise inside your SIEM data, giving easier access to the data that matters.
- Consistent billing: Huntress SIEM has a simple pricing structure based on number of sources, no more worrying about data consumed and overages!
- Data is seamlessly sent into the Huntress SOC pipeline for 24/7 response to new threats without needing your own team reviewing SIEM data.
How Managed SIEM Complements Your Security Stack
Managed SIEM acts as the central correlation engine for your entire security environment, helping to validate and enrich data collected by other Huntress products.
- While solutions like EDR and ITDR focus on specific threats on endpoints and identities, SIEM provides the necessary environmental context. It can correlate a suspicious logon (from ITDR or local Windows Event Log data) with a corresponding firewall change or a failed network access attempt (from syslog) to build a complete, high-fidelity picture of the attack. This can be the key info that bridges the gap between detecting malicious/suspicious programs/activity and detecting the corresponding legitimate tools being used without authorization.
- Unified Defense: By collecting logs from every corner of your network, including cloud services, firewalls, and endpoints, SIEM ensures that threats that bypass one defense are still caught by another.
Differences Between Source Types
Huntress Managed SIEM can ingest data from a wide variety of sources. Here's a brief description of each:
Syslog is a standard protocol for sending device data into a SIEM. This requires a compatible syslog source (typically a firewall but some other devices are supported) and a Huntress agent setup on the same LAN to listen on a specific port for data. Check out our configuration guides here and our troubleshooting guide here.
Operating System logs - Huntress can automatically pull Windows Event Logs and Linux AuditD/JournalD logs for information about user and program activity on each endpoint. Once setup, this data is pulled automatically by the Huntress agent installed on the endpoint. You can read more about OS logs here.
HEC (HTTP Event Collector) is a mechanism to send data across the internet for the purpose of storing it in a SIEM system. HEC sources do not need a corresponding Huntress agent collector to receive the data, instead data is sent directly to the Huntress cloud. Traditionally this is associated with Splunk, however Huntress can ingest this data without Splunk. A list of compatible sources is available here.
API sources are similar to HEC in that data is sent across the internet and doesn't require a Huntress agent to collect the data. Unlike HEC there isn't a standard so each integration is custom built by Huntress, see our full list of API sources here. The biggest difference between API and HEC is that API uses 2 way communication, while HEC is a 1 way data transfer.
Getting Started with Managed SIEM
You can enable and configure your first log sources right from your Huntress portal.
- See our guide on how to start your SIEM trial.
- To learn how to search and query your data, see our Managed SIEM Log Search Guide.
- For further reading, check out our SIEM documentation here.