Sending information from your identity and access management (IAM) system to your security information and event management (SIEM) system can help you to find events and anomalies that you might not find otherwise. This can help you detect that an attacker has breached your systems. Your SIEM system might already be collecting a lot of data. So, you might ask why should you send data from the IAM system? Can’t you gather this data directly from the IAM system?
Since the answer to this question isn’t trivial, we need to dig a little bit deeper. First, let’s focus on identity management.
Sending data from your IAM system to your SIEM makes sense. There are several events that happen to your IAM system that should be checked out by your SIEM. These may be failed logins, denial of service attacks, detection of session hijacking or stolen application access tokens. On the other hand, your IAM can help with finding actions and anomalies that are not always malicious events.
SIEM Integration Opportunities
Let’s look deeper into the event of a newly created account. This might be a local operating system account, an app account, a software-as-a-service account or a domain account. If the SIEM system registers the event of a created account in a connected system, it won’t be clear if this is a desired or malicious event.
But if your SIEM system is able to correlate this ‘account add’ with a related action from the IAM system, it’s easy to distinguish between an approved or malicious account creation. Remember, new account creation is often part of the ‘persistence’ attack phase. Therefore ..
Support the originator by clicking the read the rest link below.
