In Chapter 4, Collecting Network Evidence, there was also discussion of the use of SIEM platforms. These platforms not only serve as an aggregation point for log files from network devices, they also allow analysts to perform queries on the logs that have been aggregated. For example, there were IP addresses associated with potential malicious activity discovered during the analysis of the packet capture file. This file was limited to a single host on the internal network. One question that analysts would like to answer is, how many other hosts could possibly be infected? If the SIEM aggregates connection log files from devices such as the exterior facing firewall and web proxy, the analyst would be able to determine if any other internal hosts connected to those suspect IP addresses.

There are a wide variety of SIEM platforms available, from freeware solutions to enterprise security management platforms. Most of these platforms allow analysts to conduct filtered searching, and correlation log reviews. Many of the more robust commercial platforms provide rulesets for detecting specific types of attacks and updates to these rulesets as new attacks become known. Analysts could also query the SIEM for connection logs for the host IP address to any other systems. This would normally be the behavior seen in an incident where malware has infected a machine and an attacker is attempting to compromise other machines.

In organizations where incident response personnel are separate from those that have responsibility for the maintenance of the SIEM, it is a good idea to review the communications structure so that incident response analysts have access to these platforms. The wealth of information and data that is available can be leveraged to determine what activity on the internal network is connected to a possible incident, as well as evidence that can be utilized to determine the root cause.