A log source is a device or system that generates and sends data to a security information and event management (SIEM) system, such as logs, alerts, or events. A log source that has stopped sending data would be considered an incident if reported by a SIEM system, as this could indicate a malfunction, a compromise, or a denial of service attack on the log source. A SIEM system relies on the data from the log sources to provide a comprehensive and accurate view of the security posture and events of the organization. An administrator logging in on a server through a virtual private network (VPN) would not be considered an incident, as this is a legitimate and authorized activity. A web resource reporting a 404 error would not be considered an incident, as this is a common and benign error that indicates that the requested resource was not found on the server. A firewall logging a connection between a client on the Internet and a web server using Transmission Control Protocol (TCP) on port 80 would not be considered an incident, as this is a normal and expected traffic for web browsing.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit