Good morning, my name is Francisco.
When a packet or a frame is generated, this can create a basic event entry, in some of the different logs:
- dns.log
- conn.log
- http.log
- certs.log
So I understand that a frame/packet can be equal to 1 or several basic events in zeek.
I have also found that the unique identifiers that are created in each entry is the UID of the session.
In a session different packets are sent, so I have the doubt if for each packet that is sent in a session a new entry is created in the records mentioned above, or if they are created only when the sent packets meet a series of conditions.
I need to understand this to know how I should send the information to the SIEM so as not to overload it.
With this doubt I also have the following question,
Do you have any recommendation about which basic records are usually sent to a SIEM?
I am referring to both events and specific alerts.
Thanks in advance!