Introduction to SIEM

An introduction to Security Information and Event Management.

1. SIEM stands for Security Information and Event Management system.

2. SIEM

   1. collects data from various endpoints across the network

   2. stores data at a centralized place

   3. correlates data

Imagine that we have this network topology.

1. each network component can have one or more log sources generating different logs.

   1. Sysmon

   2. Windows Event logs

2. Network log sources can be divided into 2 logical parts

   1. Host-Centric Log Source

      1. Logs that will capture events that occurred within or related to the host:

         1. Windows Event Logs

         2. Sysmon

         3. OSquery

      2. Examples of logs would be:

         1. A user accessing a file

         2. A user attempting to authenticate

         3. A process Execution Activity

         4. A process of adding, editing, or deleting a registry key or value

         5. Powershell execution

   2. Network-Centric Log Source

      1. Logs that are generated when:

         1. the hosts communicate with each other

         2. the host is accessing the internet to visit a website

      2. Network-based protocols are:

         1. SSH

         2. VPN

         3. HTTP

         4. HTTPS

         5. FTP

      3. Examples of logs would be:

         1. SSH connection

         2. The file is accessed via FTP

         3. Web traffic

         4. A user accessing company resources via VPN

         5. Network file-sharing activity

3. SIEM key features:

   1. Takes logs from various sources in real-time

   2. Provides the ability to correlate between events

   3. Provides the ability to search through the logs

   4. Provides the ability to investigate incidents

   5. Provides the ability to respond promptly

   6. Real-time log ingestion

   7. Alerting against abnormal activities

   8. 24/7 Monitoring and visibility

   9. Protection against the latest threats through ealy detection

   10. Data Insights and visualization

   11. Ability to investigate past incidents

Log Sources and Log Ingestion

1. Every device in the network generates some kind of log whenever an activity is performed on it

   1. User visiting a website

   2. Connecting to SSH

   3. Logging in to a workstation

2. Common devices found in a network environment:

   1. Windows Machine

      1. Event Viewer utility

         1. Records every event by assigning a unique ID to each type of log activity.

      2. To access Event Viewer

         1. Type "Event Viewer" in Search Bar

            1. 
            2. 
         2. These logs from all windows endpoints are forwarded to the SIEM

   2. Linux Workstation

      1. stores all related logs like:

         1. Events

            1. Errors

            2. Warnings

            3. etc

      2. Common log locations

         1. /var/log/httpd

            1. HTTP requests

            2. HTTP response

            3. Error logs

         2. /var/log/cron

            1. Events related to cron jobs

         3. /var/log/auth.log and /var/log/secure

            1. Authentication related logs

         4. /var/log/kern

            1. Kernel related events

      3. Example of cron log

         1. 

3. Web Server

   1. Important to keep an eye on all the requests/responses coming in and out of the webserver for any potential web attack attempt.

   2. Common Apache logs

      1. /var/log/apache

      2. /var/log/httpd

   3. Apache log example

      1. 
4. SIEM log ingestion methods

   1. Agent / Forwarder

      1. Lightweight agent tool gets installed in the Endpoint

      2. Agent tool gets configured to capture all important logs and send them to SIEM server

   2. Syslog

      1. Protocol used to collect data fom various systems

         1. web servers

         2. databases

      2. sent in real time

   3. Manual upload

      1. Allow users to ingest offline data.

      2. Tools like:

         1. Splunk

            1. 
         2. ELK

         3. Qradar

            1. 
   4. Port-Forwarding

      1. SIEM server configured to listen on the certain port from endpoint

      2. Endpoint is configured to forward data to SIEM server listening port

Why SIEM

1. Provides collected data correlation to detect threats

2. Raises alerts when a threat is detected

3. Helps detect threats

4. Helps protect against threats in a timely manner

5. A major component of a Security Operations Center

6. Correlation between events from different log sources

7. Provide visibility on Host and Network centric activities

8. Allow analysts to investigate the latest threats and timely responses

9. Hunt for threats that are not detected by the rules in place

10. Gets all the security-related logs ingested through agents, port forwarding, etc.

11. Once the logs are ingested, SIEM looks for unwanted behavior or suspicious pattern within the logs with the help of the conditions set in the rules by the analysts.

    1. If the condition is met, a rule gets triggered, and the incident is investigated.

12. 
13. SOC Analysts

    1. utilize SIEM solutions in order to have better visibility of what is happening within the network

    2. Monitoring and Investigating

    3. Identifying False positives

    4. Tuning Rules which are causing the noise or False positives

    5. Reporting

    6. Compliance

    7. Identifying blind spots in the network

    8. Covering blind spots in the network

Logs and Alerts

1. Dashboard

   1. The most important components of any SIEM

   2. Some of the information that can be found in a dashboard are:

      1. Alert Highlights

      2. System Notification

      3. Health Alert

      4. List of Failed Login Attempts

      5. Events Ingested Count

      6. Rules triggered

      7. Top Domains Visited

   3. Correlation Rules

      1. Logical expressions set to be triggered to allow timely detect threat where examples are:

         1. Multiple Failed Login Attempts

            1. If a User gets 5 failed Login Attempts in 10 seconds

         2. Successful Login After multiple Login Attempts

            1. If login is successful after multiple failed login attempts

         3. A rule is set to alert every time a user plugs in a USB

         4. If outbound traffic is > 25 MB

            1. Potential Data exfiltration Attempt

   4. Create correlation rule

      1. Adversaries tend to remove the logs during the post-exploitation phase to remove their tracks.

      2. A unique Event ID 104 is logged every time a user tries to remove or clear event logs.

      3. To create a rule based on this activity, we can set the condition as follows:

         1. Rule: If the Log source is WinEventLog AND EventID is 104 - Trigger an alert Event Log Cleared

      4. Adversaries use commands like whoami after the exploitation/privilege escalation phase.

         1. Log source: Identify the log source capturing the event logs

         2. Event ID: which Event ID is associated with Process Execution activity? In this case, event id 4688 will be helpful.

         3. NewProcessName: which process name will be helpful to include in the rule?

            1. Rule: If Log Source is WinEventLog AND EventCode is 4688, and NewProcessName contains whoami, then Trigger an ALERT WHOAMI command Execution DETECTED

2. Alert investigation

   1. Alert is False Alarm.

      1. It may require tuning the rule to avoid similar False positives from occurring again.

   2. Alert is True Positive.

      1. Perform further investigation.

   3. Contact the asset owner to inquire about the activity.

      1. Suspicious activity is confirmed.

         1. Isolate the infected host.

         2. Block the suspicious IP.

Lab Work

1. Click on Start Suspicious Activity, which process caused the alert?

2. Find the event that caused the alert, which user was responsible for the process execution?

   1. chris.fort

3. What is the hostname of the suspect user?

   1. HR_02

4. Examine the rule and the suspicious process; which term matched the rule that caused the alert?

   1. miner

5. What is the best option that represents the event?

   1. true-positive

6. Selecting the right ACTION will display the FLAG. What is the FLAG?

   1. THM{000_SIEM_INTRO}