Abstract: An approach is disclosed for assessing effectiveness of security information and event management (SIEM) environments. A rule status information with a number of used rules and a number of unused rules and a log source status with a number of active log sources and a number of inactive log sources is received from a threat detection insight (TDI) component by a production SIEM environment assessment report (SPEAR) tool. TDI performance scores and TDI quality scores are received from the TDI component for each used rule by the SPEAR tool. The SPEAR tool determines an availability score, a performance score, and a quality score from the rule status information, the log source status information, the TDI performance scores, and the TDI quality scores. The SPEAR tool determines a SPEAR from the availability score, the performance score, and the quality score.

Abstract: Embodiments of a method are disclosed. The method includes determining that the event type of an event log of a security information and event management (SIEM) cannot be identified. The method further includes generating a vectorized log using a cleaned, tokenized, and padded version of the event log. Additionally, the method includes generating a classification for the vectorized log using a deep learning classification model that is trained to identify a potential event type for the event log based on deep learning training using multiple parsed logs. The method also includes determining that a confidence level of the classification meets a predetermined threshold. The method further includes parsing the event log based on the classification.

Abstract: Methods and a system of classifying unrecognized logs in an environment. The method includes inputting a log unrecognized during event collection into a machine learning model and predicting, by the machine learning model, a log source type of the log to allow for normalization of the log. The method also includes producing, by the machine learning model, a confidence score relating to the source type prediction, determining the confidence score exceeds a predetermined threshold, and submitting the log for normalization based on the log source type prediction. The method can also include predicting, by the machine learning model, an event name relating to the log, producing, by the machine learning model, a second confidence score relating to the event name prediction, determining the second confidence score exceeds another predetermined threshold, and submitting the log for normalization based on the identified log source type and the predicted event name.

Abstract: Embodiments of a method are disclosed. The method includes determining that the event type of an event log of a security information and event management (SIEM) cannot be identified. The method further includes generating a vectorized log using a cleaned, tokenized, and padded version of the event log. Additionally, the method includes generating a classification for the vectorized log using a deep learning classification model that is trained to identify a potential event type for the event log based on deep learning training using multiple parsed logs. The method also includes determining that a confidence level of the classification meets a predetermined threshold. The method further includes parsing the event log based on the classification.