← [Раздел 08](README.md) · [Главная](../README.md) # SIEM и алерты ## Цель Понять, что такое **SIEM**, как строятся **detection rules**, как балансировать алерты (signal vs noise) и интегрировать runtime detection с [logging](logging-audit-trail.md). ## Предварительно - [logging-audit-trail.md](logging-audit-trail.md). - Basic metrics vs logs difference. ## Время ~30 минут чтения + design 3 detection rules --- ## Что такое SIEM **SIEM** (Security Information and Event Management) — платформа для: 1. **Collection** — ingest logs from many sources 2. **Normalization** — common schema 3. **Correlation** — connect events across systems 4. **Detection** — rules, ML (optional) 5. **Alerting** — notify on-call 6. **Investigation** — search, dashboards Examples: Splunk, Elastic Security, Microsoft Sentinel, Wazuh (open source). ## SIEM vs log aggregator | | Loki / basic Elastic | SIEM | |---|---------------------|------| | Store & search | ✅ | ✅ | | Security content pack | Limited | Built-in use cases | | Case management | Add-on | Often included | | Compliance reports | Manual | Templates | Small team: start Elastic + security rules or Wazuh; grow into enterprise SIEM. ## Detection rule anatomy ``` Trigger: 5+ login_failed from same IP in 5 min AND no login_success same IP Action: alert severity HIGH → Slack #security Context: top targeted usernames, geo, user-agent Runbook: link to IR playbook ``` | Component | Purpose | |-----------|---------| | **Data source** | App auth logs, CloudTrail | | **Logic** | Threshold, sequence, anomaly | | **Severity** | P1–P4 mapping | | **Response** | Ticket, page, auto-block (careful) | ## Use cases (starter pack) | Rule | Data source | |------|-------------| | Brute force login | App logs | | Impossible travel | Geo IP on SSO | | New admin IAM policy | CloudTrail | | S3 bucket public | Config + CloudTrail | | K8s secret accessed unusual SA | Audit log | | Spike 403 on `/admin` | WAF / app | | Crypto mining egress | Flow logs + DNS | Prioritize **high fidelity** rules first. ## Alert fatigue | Symptom | Cause | Fix | |---------|-------|-----| | 500 alerts/day ignored | Low thresholds | Tune, aggregate | | Same flapping alert | Unstable infra | Fix root, suppress window | | Duplicate from tools | WAF + app both alert | Single owner per scenario | Target: **actionable** alerts with owner and runbook. ## Severity matrix | Sev | Criteria | Response | |-----|----------|----------| | P1 | Active breach, data exfil | Page immediately | | P2 | Likely compromise attempt | Investigate <1h | | P3 | Suspicious, needs review | Business hours | | P4 | Informational trend | Weekly review | Document in on-call handbook. ## SOAR (optional maturity) **SOAR** — automate playbook steps: enrich IP, disable user, create Jira. Start manual runbook → automate repetitive safe steps later. ## MITRE ATT&CK mapping Map rules to **tactics** (Initial Access, Persistence…) — finds coverage gaps. Not required day one; useful for mature program. ## Integration architecture ``` Sources → Collector → SIEM → Rules → Alert channel ↓ Case / Ticket ↓ Incident response ``` Tune **ingest cost**: filter noisy debug before SIEM. ## False positives handling | Step | Action | |------|--------| | Document FP reason | Rule wiki | | Exception with expiry | Temporary suppress | | Improve rule | Add context (success login excludes) | | Never silent disable | Audit rule changes | ## Metrics for detection program | KPI | Healthy sign | |-----|--------------| | MTTD (mean time to detect) | Decreasing | | Alert true positive rate | >50% for P1/P2 | | Rules without owner | Zero | | Mean time to tune new rule | <2 weeks | ## Checklist SIEM bootstrap - [ ] Top 5 log sources onboarded (app auth, CloudTrail, WAF, K8s audit, IdP) - [ ] Time sync verified - [ ] 10 starter rules with runbooks - [ ] On-call rotation + escalation path - [ ] Weekly alert review meeting - [ ] Retention matches [logging policy](logging-audit-trail.md) --- ## Самопроверка 1. Чем SIEM отличается от «просто Kibana»? 2. Назовите 3 поля хорошего detection rule. 3. Что такое alert fatigue и как бороться? 4. Когда P1 alert оправдан? ## Дальше [Incident response](incident-response.md)