Introduction of SecBuzzer ESM

Introduction：

The system which collects logs in an appropriate way according to actual field environment, establishes a network intrusion detection system to monitor if network segments have been attacked, additionally update the latest rules of network threats to increase defense in breadth and depth. It's expected to receive notifications by emails or text messages and manage the incidents incident prevention and response. In the other hand, an unit can report those important incident collections to H-SOC which is a national standard format of STIX, then H-SOC center can proceed to analyze and save in order to achieve cyber security defense collaboration by AI analyzing those abnormal and malicious behaviors regularly and automatically.

Framework and functions：

The system is including two major parts:Edge, Cloud as below.
![ESM Framework]

ESM Edge:

1. It's the edge which has been monitoring and a sensor of small-scale cyber surveillance system will be implemented to provide service of network intrusion detention and log collecting.

2. Log files or network traffic analysis and detention can screen rapidly malware threats and anomalous behaviors.

3. In the automatic mode, regularly proceed data which included incidents and host details to ESM Cloud.

ESM Cloud:

1. Cloud collect edge data, ex. incidents, host details, save as a data base then is able to perform analysis and statistic in advance.

2. Use Association Analysis-Base regularly for the detection of a host's abnormal behavior.

3. According to alert information, maintenance technicians can evaluate if risk level of incidents touch a threshold then generate a ticket via sending a notification email.

4. Visualized dashboard allows edges or an authorized unit to submit queries, filter search results, and view data.

5. Incident Reporting Notifications.

6. Reports research and download.