A good portion of the security research done at Cygilant is done around alerting. For us, an alert occurs when a data point in a log message contains a value we were waiting to see. These data points are usually values such as: IP addresses, authentication statuses, network protocols or error codes, for example. This work is ongoing because there are continually new and better ways to determine if something unique or nefarious is occurring on systems. The log messages we parse come from devices and applications that are deployed within the environment and are commonly referred to as SIEM (security information and event management) data. Most of the hardware and software you are familiar with produce SIEM data which makes it useful determining what is happening on the systems you are monitoring.