SIEM Interface Overview

Topics

The SIEM Plan module is your central security operations interface in Energylogserver, providing access to all security monitoring, alerting, and analysis capabilities. This chapter explains every element in the SIEM Plan interface - what it is, what it does, and how to use it.

What is SIEM Plan?

SIEM Plan is not about licensing or plans - it’s the main security module where you actually work with security events, create alerts, view dashboards, and manage incidents. Think of it as your security operations center dashboard.

How to Access SIEM Plan

  1. Log into ELS Console (covered in User Management)

  2. Look in the left navigation menu for SIEM section

  3. The SIEM section contains various modules - Overview, Audit, Syslog, Vulnerabilities, etc.

  4. There’s also an Alerts interface accessible from the main navigation

You’ll see agent status at the top showing how many of your monitoring agents are connected.

Main SIEM Dashboard Overview

When you open the SIEM Plan interface, you see a dashboard with colored cards organized in four main sections. Here’s what each one does:

Security Information Management

**Security Events Card **

  • What it is: Browse through your security alerts

  • What it does: Shows you security issues and threats detected in your environment

  • When to use: Daily monitoring to see what security events are happening

  • Click here: Takes you to a searchable list of security events

Integrity Monitoring Card

  • What it is: File change monitoring

  • What it does: Alerts when files change - permissions, content, ownership, attributes

  • When to use: Monitor critical system files and detect unauthorized changes

  • Click here: Shows file modification alerts and reports

Auditing and Policy Monitoring

**Policy Monitoring Card **

  • What it is: Security policy compliance checker

  • What it does: Verifies your systems follow your security policies baseline

  • When to use: Regular compliance checking and policy violation detection

  • Click here: Shows which systems violate your security policies

System Auditing Card (Blue)

  • What it is: User activity monitor

  • What it does: Tracks user user behavior, command execution, access to critical files

  • When to use: Monitor user user activities and detect suspicious activities

  • Click here: Detailed audit logs and user activity reports

Security Configuration Assessment Card

  • What it is: Configuration scanner

  • What it does: Scans your systems for security configuration issues

  • When to use: Regular security posture assessment

  • Click here: Configuration assessment results and recommendations

Threat Detection and Response

**Vulnerabilities Card **

  • What it is: Vulnerability scanner integration

  • What it does: Shows which applications in your environment have known vulnerabilities

  • When to use: Vulnerability management and patch planning

  • Click here: Vulnerability reports and affected systems list

**MITRE ATT&CK Card **

  • What it is: Threat intelligence integration

  • What it does: Maps your security events to known attack techniques from MITRE ATT&CK framework

  • When to use: Advanced threat analysis and attack pattern identification

  • Click here: Attack technique mapping and threat intelligence

Regulatory Compliance

**PCI DSS Card **

  • What it is: Payment card security monitoring

  • What it does: Monitors compliance with payment card industry standards

  • When to use: If you process credit card payments

  • Click here: PCI DSS compliance dashboard and reports

NIST 800-53 Card

  • What it is: Federal security controls monitoring

  • What it does: Tracks compliance with NIST security control guidelines

  • When to use: Government and federal compliance requirements

  • Click here: NIST compliance status and control implementation

TSC Card

  • What it is: Trust Services Criteria monitoring

  • What it does: Monitors compliance with Security, Availability, Processing Integrity, Confidentiality, Privacy

  • When to use: SOC 2 compliance and trust service assessments

  • Click here: TSC compliance dashboard

**GDPR Card **

  • What it is: Data protection compliance

  • What it does: Monitors personal data processing compliance

  • When to use: If you process EU personal data

  • Click here: GDPR compliance monitoring and breach detection

HIPAA Card

  • What it is: Healthcare data protection

  • What it does: Monitors protected health information access and usage

  • When to use: Healthcare organizations handling patient data

  • Click here: HIPAA compliance dashboard and audit trails

Alerts Interface

The Alerts interface is where you create, manage, and monitor security alerts. Access it from the main navigation “Alerts” tab.

Alert Interface Tabs

Create Alert Rule Tab This is where you build new security alerts. Here’s what each field does:

Basic Information

  • Name: Give your alert a descriptive name (e.g., “Failed Login Attempts”)

  • Description: Explain what this alert detects

  • Rule Type: Choose from dropdown (Any, Frequency, Spike, etc.)

  • Group Name: Organize alerts into groups for management

Configuration

  • Index Pattern: Select which data sources to monitor (click “Read Fields” to see available data)

  • Time Range: How far back to look for events (Last 15 minutes, Last hour, etc.)

  • Risk Key: What field to calculate risk score on

  • Threshold: Number of occurrences to trigger alert

Filter and Query

  • Filter: Add conditions like “host = webserver” or “user = admin”

  • Query: Advanced Lucene query for specific conditions

  • Group By: Aggregate alerts by host, user, or other fields

  • Field: Specific data field to monitor

Alert Method

  • Select Method: Choose Email, Slack, etc.

  • Recipients: Add email addresses or channels

  • Message: Customize alert notification text

Save Rule: Click to create the alert rule

Alert Status Tab

  • What it is: Alert system health monitor

  • What it does: Shows if alerting system is running and current status

  • When to use: Check if your alerts are active

  • Key metrics: Total alerts, processing time, last run

Alert Rules List Tab

  • What it is: All your alert rules

  • What it does: Manage existing alerts - edit, delete, enable/disable

  • When to use: Review and update your alert configurations

  • Search: Filter rules by name or type

Understanding the ELS Console Interface

Left Navigation Menu

  • Overview: Main security dashboard

  • Windows: Windows-specific security events

  • Vulnerabilities: Vulnerability management

  • Syslog: System log analysis

  • Audit: User activity monitoring

  • FIM: File Integrity Monitoring

  • Policy Monitoring: Security policy compliance

  • Alert: Alert management interface

  • MITRE: MITRE ATT&CK framework integration

Time Controls

  • Time Range Selector: Choose from preset ranges or custom dates

  • Show Dates: Toggle timestamp display

  • Refresh: Manual refresh of dashboard data

  • Lucene Query Box: Advanced filtering using Lucene syntax

Filter Controls

  • Add Filter: Create custom data filters

  • NOT operator: Exclude specific data types

  • Agent Group Filters: Filter by system groups