Security Operations Centre - Protective Monitoring - SIEM Processes - DRAFT ()
Security Operations Centre - Protective Monitoring - SIEM Processes - DRAFT
Author Rob Campbell
Last Update 28/4/2020
Version 0.03
Constraints
Basic Protective Monitor Process Flow
Respond
Gather
Determine
Recover
Maintain
Analyse
Security Monitoring Service - Overarching Process Flow
Security Monitoring - Gather
SIEM Log Database
SIEM - Aggregate Data
SIEM - Normalise data
SIEM - Gather Event Data
Events
SIEM - Enrich Data
SIEM - Capture Event Data
SIEM - Maintain Event Data
Create Logging Configuration
Service Provider
Subject Matter Expert (SME)
Project Team
Define Capture and Alerting Requirements
Log Sources
System A
System B
Device A
Events
Events
Events
SIEM - Define Correlation Rules
SIEM - Define Analysis Rules
SIEM Define Classification and Priority
Audit Query
Intelligence Query
Define Rules in SIEM
Security Monitoring - Analyse
SIEM - Analyse
SIEM - Correlate
Security Monitoring - Determine
SIEM - Triage
SIEM - Classify
SIEM - Prioritise
Sec Mon - Investigate
Define Compliance Checks
Governance, Risk and Compliance Consultant
Security Monitoring - Respond
Reports
Risk Assessment
Audit Report
Learning Points
Trend Reports
Threat Reports
Sec Mon - Respond
Raise Incident
Produce Recomendations
Monitor and Report
Incident Management
Initiate Crisis Management
Crisis Management
Initiate Forensics
Digital Forensics
Sec Mon - Continuous Improvement
SIEM
Security Monitoring - Recovery
Recover and Repair
Restore from Backup
Rebuild System
Customer Communications
Legal Response
Media Management
GDPR Reporting
Manage Reputation
Define Threat Hunting Query
SIEM Engineer
Cyber Analyst
Senior Security Analyst
Audit and Investigations Consultant
Threat Analyst
Maintain - Continuous Improvement
Sec Mon - Maintain data Integrity
Sec Mon - Replay Queries
Sec Mon - Update Log Inventory
Sec Mon - Tune Rules
Sec Mon - Maintain Misuse and Abuse Cases
Security Orchestration and Response (SOAR)
Volume of Data
Location of source Data
Access to relevant data in supply chain control.
Understanding of the Business Threats
Understanding of the Organisations Risks and Issues
Respond Recover
Respond Maintain
Gather Analyse
Determine Respond
Analyse Determine
Security Monitoring Service - Overarching Process Flow Project Team
Security Monitoring Service - Overarching Process Flow Senior Security Analyst
Security Monitoring Service - Overarching Process Flow Create Logging Configuration
Security Monitoring Service - Overarching Process Flow SIEM Engineer
Security Monitoring Service - Overarching Process Flow SIEM
Security Monitoring Service - Overarching Process Flow Define Compliance Checks
Security Monitoring Service - Overarching Process Flow Maintain - Continuous Improvement
Security Monitoring Service - Overarching Process Flow Audit Query
Security Monitoring Service - Overarching Process Flow Define Capture and Alerting Requirements
Security Monitoring Service - Overarching Process Flow Threat Analyst
Security Monitoring Service - Overarching Process Flow Audit and Investigations Consultant
Security Monitoring Service - Overarching Process Flow Cyber Analyst
Security Monitoring Service - Overarching Process Flow Define Threat Hunting Query
Security Monitoring Service - Overarching Process Flow Security Monitoring - Recovery
Security Monitoring Service - Overarching Process Flow Security Monitoring - Respond
Security Monitoring Service - Overarching Process Flow Governance, Risk and Compliance Consultant
Security Monitoring Service - Overarching Process Flow Security Monitoring - Determine
Security Monitoring Service - Overarching Process Flow Security Monitoring - Analyse
Security Monitoring Service - Overarching Process Flow Define Rules in SIEM
Security Monitoring Service - Overarching Process Flow Intelligence Query
Security Monitoring Service - Overarching Process Flow SIEM Define Classification and Priority
Security Monitoring Service - Overarching Process Flow SIEM - Define Analysis Rules
Security Monitoring Service - Overarching Process Flow SIEM - Define Correlation Rules
Security Monitoring Service - Overarching Process Flow Log Sources
Security Monitoring Service - Overarching Process Flow Subject Matter Expert (SME)
Security Monitoring Service - Overarching Process Flow Service Provider
Security Monitoring Service - Overarching Process Flow Security Monitoring - Gather
Security Monitoring Service - Overarching Process Flow Security Orchestration and Response (SOAR)
Security Monitoring - Gather SIEM - Maintain Event Data
Security Monitoring - Gather SIEM - Capture Event Data
Security Monitoring - Gather SIEM - Enrich Data
Security Monitoring - Gather Events
Security Monitoring - Gather SIEM - Gather Event Data
Security Monitoring - Gather SIEM - Normalise data
Security Monitoring - Gather SIEM - Aggregate Data
Security Monitoring - Gather SIEM Log Database
SIEM - Aggregate Data SIEM - Enrich Data
SIEM - Normalise data SIEM - Aggregate Data
SIEM - Gather Event Data SIEM Log Database
SIEM - Gather Event Data SIEM - Normalise data
Events SIEM - Capture Event Data
SIEM - Enrich Data SIEM - Correlate
SIEM - Capture Event Data SIEM - Gather Event Data
SIEM - Maintain Event Data SIEM - Enrich Data
SIEM - Maintain Event Data SIEM - Normalise data
SIEM - Maintain Event Data SIEM - Aggregate Data
Create Logging Configuration Log Sources
Service Provider Create Logging Configuration
Subject Matter Expert (SME) Create Logging Configuration
Project Team Create Logging Configuration
Define Capture and Alerting Requirements Create Logging Configuration
Log Sources Events
Log Sources Events
Log Sources Events
Log Sources Device A
Log Sources System B
Log Sources System A
Log Sources SIEM - Capture Event Data
System A Events
Events System B
Events Device A
SIEM - Define Correlation Rules Define Rules in SIEM
SIEM - Define Analysis Rules Define Rules in SIEM
SIEM Define Classification and Priority Define Rules in SIEM
Audit Query Sec Mon - Investigate
Intelligence Query Sec Mon - Investigate
Define Rules in SIEM SIEM
Define Rules in SIEM Security Monitoring - Determine
Define Rules in SIEM Security Monitoring - Analyse
Define Rules in SIEM Security Monitoring - Gather
Security Monitoring - Analyse SIEM - Correlate
Security Monitoring - Analyse SIEM - Analyse
SIEM - Analyse SIEM - Triage
SIEM - Correlate SIEM - Analyse
Security Monitoring - Determine Sec Mon - Investigate
Security Monitoring - Determine SIEM - Prioritise
Security Monitoring - Determine SIEM - Classify
Security Monitoring - Determine SIEM - Triage
SIEM - Triage SIEM - Classify
SIEM - Classify SIEM - Prioritise
SIEM - Prioritise Sec Mon - Investigate
Sec Mon - Investigate Sec Mon - Respond
Governance, Risk and Compliance Consultant Define Compliance Checks
Security Monitoring - Respond Sec Mon - Continuous Improvement
Security Monitoring - Respond Digital Forensics
Security Monitoring - Respond Initiate Forensics
Security Monitoring - Respond Crisis Management
Security Monitoring - Respond Initiate Crisis Management
Security Monitoring - Respond Incident Management
Security Monitoring - Respond Monitor and Report
Security Monitoring - Respond Produce Recomendations
Security Monitoring - Respond Raise Incident
Security Monitoring - Respond Sec Mon - Respond
Security Monitoring - Respond Reports
Reports Maintain - Continuous Improvement
Reports Threat Reports
Reports Trend Reports
Reports Learning Points
Reports Audit Report
Reports Risk Assessment
If Recovery Required Sec Mon - Respond Recover and Repair
Sec Mon - Respond Sec Mon - Continuous Improvement
Sec Mon - Respond Initiate Forensics
Sec Mon - Respond Initiate Crisis Management
Sec Mon - Respond Monitor and Report
Sec Mon - Respond Produce Recomendations
Sec Mon - Respond Raise Incident
Reclassify Sec Mon - Respond SIEM - Classify
Raise Incident Incident Management
Produce Recomendations Reports
Monitor and Report Reports
Initiate Crisis Management Crisis Management
Initiate Forensics Digital Forensics
Sec Mon - Continuous Improvement Maintain - Continuous Improvement
Security Monitoring - Recovery Manage Reputation
Security Monitoring - Recovery GDPR Reporting
Security Monitoring - Recovery Media Management
Security Monitoring - Recovery Legal Response
Security Monitoring - Recovery Customer Communications
Security Monitoring - Recovery Rebuild System
Security Monitoring - Recovery Restore from Backup
Security Monitoring - Recovery Recover and Repair
Recover and Repair Manage Reputation
Recover and Repair GDPR Reporting
Recover and Repair Legal Response
Recover and Repair Rebuild System
Recover and Repair Restore from Backup
Manage Reputation Legal Response
Manage Reputation Customer Communications
Manage Reputation Media Management
Define Threat Hunting Query Sec Mon - Investigate
SIEM Engineer Define Capture and Alerting Requirements
SIEM Engineer SIEM - Define Correlation Rules
SIEM Engineer SIEM - Define Analysis Rules
SIEM Engineer SIEM Define Classification and Priority
Cyber Analyst Sec Mon - Investigate
Senior Security Analyst Sec Mon - Investigate
Audit and Investigations Consultant Audit Query
Audit and Investigations Consultant Intelligence Query
Threat Analyst Define Threat Hunting Query
Maintain - Continuous Improvement Sec Mon - Maintain Misuse and Abuse Cases
Maintain - Continuous Improvement Sec Mon - Tune Rules
Maintain - Continuous Improvement Sec Mon - Update Log Inventory
Maintain - Continuous Improvement Sec Mon - Replay Queries
Maintain - Continuous Improvement Sec Mon - Maintain data Integrity
Security Orchestration and Response (SOAR) SIEM
Security Orchestration and Response (SOAR) Security Monitoring - Gather
Security Orchestration and Response (SOAR) Security Monitoring - Analyse
Security Orchestration and Response (SOAR) Security Monitoring - Determine