Scribd
Upload
27 views3 pages

Introduction To SIEM

The document outlines the importance of Security Information and Event Management (SIEM) in network visibility and log management. It details various log sources, ingestion methods, and the significance of monitoring, investigating alerts, and identifying false positives. Additionally, it describes correlation rules for alerting and the steps for investigating alerts to ensure network security.

Uploaded by

rifarivar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
27 views3 pages

Introduction To SIEM

The document outlines the importance of Security Information and Event Management (SIEM) in network visibility and log management. It details various log sources, ingestion methods, and the significance of monitoring, investigating alerts, and identifying false positives. Additionally, it describes correlation rules for alerting and the steps for investigating alerts to ensure network security.

Uploaded by

rifarivar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Introduction:

SIEM

Manageme
Security Information Event
nt

Network Visibility Through SIEM:


Network log sources -

1) Host-Centric Log Sources – Capture events that occurred within or


related to the host.
a. User accessing a file.
b. Attempting to authenticate.
c. Process execution activity.
d. Process + / - / editing a reg key or value.
e. PowerShell execution.
2) Network Centric - Host communication each other or access the
internet.
a. SSH connection
b. A file being accessed via FTP
c. Web traffic
d. Accessing company’s resources through VPN
e. Network file sharing Activity

Log Source and Log Ingestion:


Windows workstation:

Windows records can be viewed through Even Viewer Utility.


Assigns a unique ID to each log activity.

Linux Workstation:
Linux stores logs are:

1. /var/log/httpd : Contains HTTP Request / Response


and error logs.
2. /var/log/cron : Events related to cron jobs are
stored in this location.
3. /var/log/auth.log and /var/log/secure : Stores
authentication related logs.
4. /var/log/kern : This file stores kernel related events.

Web Server:

In linux, common location to write all apache related logs

1. /var/log/apache
2. /var/log/httpd.

Log Ingestion:

1) Agent/forwarder : SIEM solution provides a light weight


tool called an agent which gets installed in Endpoint. It
captured all important logs and send them to SIEM
server.
2) Syslog: collects data from various systems like
a. Servers
b. Databases etc.

Are sent in real time.

3) Manual upload : user can upload manual data for quick


analysis.
4) Port-forwarding : Can listen to a certain port.

Why SIEM:
1) Monitoring and investigating.

2) Identifying False positives.

3) Tuning Rules which are causing the noise or False positives.

4) Reporting and Compliance.

5) Identifying blind spots in the network visibility and covering them.

Analyzing Logs Alerts


Correlation rules: A type of logical expression set to be triggered.

Example:
(a) If a User gets 5 failed Login Attempts in 10 seconds - Raise an
alert for Multiple Failed Login Attempts
(b)If login is successful after multiple failed login attempts - Raise
an alert for Successful Login After multiple Login Attempts
(c) A rule is set to alert every time a user plugs in a USB (Useful if
USB is restricted as per the company policy)
(d)If outbound traffic is > 25 MB - Raise an alert to potential Data
exfiltration Attempt (Usually, it depends on the company
policy)

Alert Investigation:

1) Alert is False Alarm. It may require tuning the rule to avoid


similar False positives from occurring again.

2) Alert is True Positive. Perform further investigation.

3) Contact the asset owner to inquire about the activity.

4) Suspicious activity is confirmed. Isolate the infected host.

5) Block the suspicious IP.

You might also like