The primary benefit of a SIEM system to any organization, is the fact it immensely increases the effectiveness of incident response teams. The early detection of occurrences is a key factor for incident containment and eradication, which means a reduced overall impact.

Since SIEMs can correlate events from different data nodes and devices, this allows for detecting incidents that would otherwise be completely missed. For example, a network intrusion prevention system can usually only see a part of an attack, while the affected host (e.g., a notebook or a server) can see the other part. A SIEM sees the bigger picture by combining logs from both devices, thus making it possible to have a complete picture of the incident.

“A SIEM’s power is in its correlation”

Microsoft Windows® Active Directory best practices consider different signs to identify and evaluate a compromised computer system by correlation, through a proper configuration of Windows auditing settings. These signs can help to detect a malicious activity in a computer system early and timely. The following security events can be considered as part of the correlation to detect possible signs of computer system intrusion within Windows® operating system.


  1. Two attempts to login as the User were executed.
  2.  User session started successfully.
  3. Special privileges were assigned to User’s account.
  4.  A new user account was created, named “Jack”.
  5. A global group with security-disabled settings was created.
  6. An explorer process has been created.
  7. An attempt to unregister a security event source was executed. 
  8.  Jack’s account was enabled.
  9.  The auditing settings on access-control object were changed.
  10.  Paul’s account session was closed


Anatomy of an Intrusion Detection Using LOGTITAN