First off, I want to make sure you understand the abbreviation and concept of a SIEM.  SIEM is actually an abbreviation for “Security Information and Event Management”.  A SIEM is an application that provides the ability to gather security data from information system components and present that data as actionable information from a single user interface.

What does this actually mean?

A SIEM is a single software program that you send your event logs and sys logs to, in which the software program will allow you to cohesively view all of your audit logs together.  A typical SIEM can receive logs from multiple operating systems and network devices in your infrastructure.

Some of these network devices may include: routers, VPN devices, switches, UTM devices, printers, workstations, servers, Windows OS, Linux OS, Active Directory and much more.

Now you know what a SIEM is, let’s move onto the TOP 20 list of terms you should know regarding a SIEM.  Below is a list of common terms anyone should know when purchasing or using a SIEM product.

  1. Audit Log

A chronological record of system activities. Includes records of system accesses and operations performed in a given period.

  1. Baseline

The minimum security controls required for safeguarding an IT system based on its identified needs for confidentiality, integrity and/or availability protection.

  1. Computer Security

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).

  1. False Positive

An alert that incorrectly indicates that a vulnerability is present.  Incorrectly classifying benign activity as malicious.

  1. Impact Level

The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

  1. Indicator of attack (IOA)

Unlike Indicators of Compromise (IOCs) used by legacy endpoint detection solutions, IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.

  1. Indicator of compromise (IOC)

Indicators of Compromise (IOC) are pieces of forensic data, such as data found in system log entries or files, which identify potentially malicious activity on a system or network.

  1. Information Security Metrics

Monitor the accomplishment of goals and objectives by quantifying the implementation level of security controls and the efficiency and effectiveness of the controls, by analyzing the adequacy of security activities, and by identifying possible improvement actions.

  1. Information Security Risk

The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.

  1. Log Retention

Archiving logs on a regular basis as part of standard operational activities.

  1. Malicious Cyber Activity

Activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

  1. Ongoing Assessment

The continuous evaluation of the effectiveness of security control or privacy control implementation; with respect to security controls, a subset of Information Security Continuous Monitoring (ISCM) activities.

  1. Organizational Information Security Continuous Monitoring

Ongoing monitoring sufficient to ensure and assure effectiveness of security controls related to systems, networks, and cyberspace, by assessing security control implementation and organizational security status in accordance with organizational risk tolerance – and within a reporting structure designed to make real-time, data-driven risk management decisions.

  1. Potential Impact

The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect, a serious adverse effect, or a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

  1. Rule-Based Event Correlation

Correlating events by matching multiple log entries from a single source or multiple sources based on logged values, such as timestamps, IP addresses, and event types.

  1. Security Control Baseline

The set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system.

  1. Security Impact Analysis

The analysis conducted by an organizational official to determine the extent to which changes to the information system have affected the security state of the system.

  1. Security Incident

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

  1. Threat Assessment

Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.

  1. Traffic Light Protocol (TLP)

The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information. TLP is a set of designations used to ensure that sensitive information is shared with the appropriate audience. It employs four colors to indicate expected sharing boundaries to be applied by the recipient(s).


The definitions have been provided from the following sources:




 Register for your FREE Threat Check today: