Security Information and Event Management (SIEM) Integration

2 min read Web Security Fundamentals

Security Information and Event Management (SIEM) Integration

SIEM platforms centralize log collection and analysis across your entire infrastructure, providing correlation capabilities that individual firewall logs cannot offer. Proper SIEM integration multiplies the value of firewall logs by combining them with other security data sources.

Configure log forwarding to preserve original timestamps and metadata:

# Rsyslog configuration for SIEM forwarding
# /etc/rsyslog.d/firewall-forward.conf

# Define log format template
template(name="FirewallLogFormat" type="list") {
    constant(value="{")
    property(name="timestamp" dateFormat="rfc3339" format="jsonf")
    constant(value=",")
    property(name="hostname" format="jsonf")
    constant(value=",")
    property(name="syslogtag" format="jsonf")
    constant(value=",")
    property(name="msg" format="jsonf")
    constant(value="}")
}

# Forward firewall logs to SIEM
if $programname == 'firewall' then {
    action(type="omfwd"
           target="siem.example.com"
           port="514"
           protocol="tcp"
           template="FirewallLogFormat"
           queue.type="LinkedList"
           queue.size="10000"
           queue.saveOnShutdown="on"
           action.resumeRetryCount="-1"
           action.resumeInterval="30")
}

Implement correlation rules that combine firewall events with other security data:

# SIEM correlation rule example
class SecurityCorrelator:
    def __init__(self, event_store):
        self.event_store = event_store
        
    def correlate_attack_chain(self, trigger_event):
        """Identify complete attack chains from initial recon to exploitation"""
        source_ip = trigger_event.get('source_ip')
        time_window = timedelta(hours=24)
        
        # Get all events from this source
        related_events = self.event_store.query({
            'source_ip': source_ip,
            'timestamp': {
                '$gte': trigger_event['timestamp'] - time_window,
                '$lte': trigger_event['timestamp']
            }
        })
        
        # Analyze attack progression
        attack_chain = {
            'reconnaissance': [],
            'initial_access': [],
            'exploitation': [],
            'persistence': []
        }
        
        for event in related_events:
            if self.is_recon_activity(event):
                attack_chain['reconnaissance'].append(event)
            elif self.is_initial_access(event):
                attack_chain['initial_access'].append(event)
            elif self.is_exploitation(event):
                attack_chain['exploitation'].append(event)
                
        return self.build_attack_timeline(attack_chain)