1 Reply Latest reply on Jun 26, 2017 6:48 AM by jghays

    Events,flows and logs in ESM




      In the below article in front of ERC (Event Receiver) it says "Receivers collect events, flows and logs from data sources". I want to know what is the difference between events,flows and logs.


      Article : McAfee SIEM - FAQ



        • 1. Re: Events,flows and logs in ESM



          By flows we mean collection of Netflow, IPFix, ... generated by network components (routers, firewalls, ...).


          The benefit of collecting flows is to bring network visibility in the ESM console about network usage, up to the Application-level (ISO Layer 7) in the ESM console.

          So, while flows are collected, you should be able to see details on protocols used, applications, ... (depending on type of flows collected, some of them provides more details than others).


          Another advantage of it, is to enrich detection capabilities of your ESM. Indeed, flow data is also available for correlation and you are able to define use cases mixing events with flows.

          Example: an IPS alert indicating a possible exploit is raised to the ESM and collected flows in the ESM shows an unusual network usage for this particular server (volume of data exchanged, number of requests, ...)


          Hope this clarifies.