The FINSEC version of XL-SIEM is enhanced in order to support security models and events for the finance sector
The service provides a rest API with different endpoints to offer information about information generated by the XL-SIEM probe, such as events, alarms, rules, generated FINSTIX objects and the FINSTIX rules, which will be explained in the following sections.
The input for the XL-SIEM are the events generated by the different sensors that are connected to it, like the HIDS (OSSEC), IDS (Suricata) and others. All those events are correlated in the XL-SIEM based on a set of correlation rules that are stored in the XL-SIEM database. When two or more events match with a correlation rule, an alarm is generated and stored in the XL-SIEM. The alarms and the events are then converted to FINSTIX objects and also stored in the XL-SIEM database.
More information on the SIEM Probe is available in the Securing Critical Infrastructures in the Financial Sector course.
The novelty of the solutions lies in this scalability and performance, as well as in its customization to the critical infrastructures of the finance sector. It supports standard SIEM functionalities, which enhances with support for FINSTIX based information modelling and sharing.