Introduction to SIEM

An introduction to Security Information and Event Management.

SIEM stands for Security Information and Event Management system.
SIEM
1. collects data from various endpoints across the network
2. stores data at a centralized place
3. correlates data

Imagine that we have this network topology.

each network component can have one or more log sources generating different logs.
1. Sysmon
2. Windows Event logs
Network log sources can be divided into 2 logical parts
1. Host-Centric Log Source
  1. Logs that will capture events that occurred within or related to the host:
    Windows Event Logs
    Sysmon
    OSquery
  2. Examples of logs would be:
    A user accessing a file
    A user attempting to authenticate
    A process Execution Activity
    A process of adding, editing, or deleting a registry key or value
    Powershell execution
2. Network-Centric Log Source
  1. Logs that are generated when:
    the hosts communicate with each other
    the host is accessing the internet to visit a website
  2. Network-based protocols are:
    SSH
    VPN
    HTTP
    HTTPS
    FTP
  3. Examples of logs would be:
    SSH connection
    The file is accessed via FTP
    Web traffic
    A user accessing company resources via VPN
    Network file-sharing activity
SIEM key features:
1. Takes logs from various sources in real-time
2. Provides the ability to correlate between events
3. Provides the ability to search through the logs
4. Provides the ability to investigate incidents
5. Provides the ability to respond promptly
6. Real-time log ingestion
7. Alerting against abnormal activities
8. 24/7 Monitoring and visibility
9. Protection against the latest threats through ealy detection
10. Data Insights and visualization
11. Ability to investigate past incidents

Log Sources and Log Ingestion

Every device in the network generates some kind of log whenever an activity is performed on it
1. User visiting a website
2. Connecting to SSH
3. Logging in to a workstation
Common devices found in a network environment:
1. Windows Machine
  1. Event Viewer utility
  2. To access Event Viewer
    Type "Event Viewer" in Search Bar
    These logs from all windows endpoints are forwarded to the SIEM
2. Linux Workstation
  1. stores all related logs like:
    Events
    Errors
    Warnings
    etc
  2. Common log locations
    /var/log/httpd
    HTTP requests
    HTTP response
    Error logs
    /var/log/cron
    Events related to cron jobs
    /var/log/auth.log and /var/log/secure
    Authentication related logs
    /var/log/kern
    Kernel related events
  3. Example of cron log
Web Server
1. Important to keep an eye on all the requests/responses coming in and out of the webserver for any potential web attack attempt.
2. Common Apache logs
  1. /var/log/apache
  2. /var/log/httpd
3. Apache log example
SIEM log ingestion methods
1. Agent / Forwarder
  1. Lightweight agent tool gets installed in the Endpoint
  2. Agent tool gets configured to capture all important logs and send them to SIEM server
2. Syslog
  1. Protocol used to collect data fom various systems
    web servers
    databases
  2. sent in real time
3. Manual upload
  1. Allow users to ingest offline data.
  2. Tools like:
    Splunk
    ELK
    Qradar
4. Port-Forwarding
  1. SIEM server configured to listen on the certain port from endpoint
  2. Endpoint is configured to forward data to SIEM server listening port

Why SIEM

Provides collected data correlation to detect threats
Raises alerts when a threat is detected
Helps detect threats
Helps protect against threats in a timely manner
A major component of a Security Operations Center
Correlation between events from different log sources
Provide visibility on Host and Network centric activities
Allow analysts to investigate the latest threats and timely responses
Hunt for threats that are not detected by the rules in place
Gets all the security-related logs ingested through agents, port forwarding, etc.
Once the logs are ingested, SIEM looks for unwanted behavior or suspicious pattern within the logs with the help of the conditions set in the rules by the analysts.
1. If the condition is met, a rule gets triggered, and the incident is investigated.
SOC Analysts
1. utilize SIEM solutions in order to have better visibility of what is happening within the network
2. Monitoring and Investigating
3. Identifying False positives
4. Tuning Rules which are causing the noise or False positives
5. Reporting
6. Compliance
7. Identifying blind spots in the network
8. Covering blind spots in the network

Logs and Alerts

Dashboard
1. The most important components of any SIEM
2. Some of the information that can be found in a dashboard are:
  1. Alert Highlights
  2. System Notification
  3. Health Alert
  4. List of Failed Login Attempts
  5. Events Ingested Count
  6. Rules triggered
  7. Top Domains Visited
3. Correlation Rules
  1. Logical expressions set to be triggered to allow timely detect threat where examples are:
    Multiple Failed Login Attempts
    If a User gets 5 failed Login Attempts in 10 seconds
    Successful Login After multiple Login Attempts
    If login is successful after multiple failed login attempts
    If outbound traffic is > 25 MB
4. Create correlation rule
  1. Adversaries tend to remove the logs during the post-exploitation phase to remove their tracks.
  3. To create a rule based on this activity, we can set the condition as follows:
    Rule: If the Log source is WinEventLog AND EventID is 104 - Trigger an alert Event Log Cleared
  4. Adversaries use commands like whoami after the exploitation/privilege escalation phase.
    Log source: Identify the log source capturing the event logs
    Event ID: which Event ID is associated with Process Execution activity? In this case, event id 4688 will be helpful.
    NewProcessName: which process name will be helpful to include in the rule?
    Rule: If Log Source is WinEventLog AND EventCode is 4688, and NewProcessName contains whoami, then Trigger an ALERT WHOAMI command Execution DETECTED
Alert investigation
1. Alert is False Alarm.
  1. It may require tuning the rule to avoid similar False positives from occurring again.
2. Alert is True Positive.
  1. Perform further investigation.
3. Contact the asset owner to inquire about the activity.
  1. Suspicious activity is confirmed.
    Isolate the infected host.
    Block the suspicious IP.

Lab Work

Click on Start Suspicious Activity, which process caused the alert?
Find the event that caused the alert, which user was responsible for the process execution?
1. chris.fort
What is the hostname of the suspect user?
1. HR_02
Examine the rule and the suspicious process; which term matched the rule that caused the alert?
1. miner
What is the best option that represents the event?
1. true-positive
Selecting the right ACTION will display the FLAG. What is the FLAG?
1. THM{000_SIEM_INTRO}

Last updated 2 years ago