Distinguish between alert data (including generation tools) and previously covered NSM monitoring (including collection tools).
Example of post: ONLY AN EXAMPLE
The difference between alert data and the data collected by NSM is that alert data is slightly more processed by the alert infrastructure and appends alert information. The input data is largely the same between the two systems. The first family of data consists or raw unprocessed data. Full collection data, session data and additional data sources qualify as raw data sources. The second type of network data is processed data. Processed data consists of analyzed data, and data that has been evaluated for suspicious behavior and indicators of compromise.
A network interface can collect full network data in promiscuous mode. Promiscuous mode captures all data packet data within a broadcast zone. This data includes all layer two and layer three address information, protocol, and the data contents. Session data only addresses the highlights of a conversation. These highlights include all the same data as full content data sans the data content of the datagram/packet, who from, who to, when, how, and how much is contained in session data. There are many ways to gather additional data for analysis, but in my experience, some of the best methods compare network data to host data.
Analyzing other collected data generates statistical data to determine normal and anomalous behavior. Alert data is derived from any of the previous data types triggering an alert. Alerts can be triggered by matching with signatures or matching with through heuristic analysis. Alert data consists of the trigger data and is appended with alert information. Alert information describes why the alert was triggered and expected severity. Ultimately, alert data needs to be reviewed by network defenders to make decisions on network security and response actions. Defenders also can refine alerts based on previous alert experience and new threat intelligence to improve the accuracy of network alerts.
I did not mention tools like Squil, Zeek or Suricata because defense strategy should be tool agnostic and current tools change.
less