Introduction to SIEM

SIEM is a tool that centralizes data from various endpoints/devices in a network and performs correlation on the data.
The purpose of SIEM is to understand and manage security information and events.

1. Network Visibility through SIEM

SIEM is a crucial system that provides better visibility of network activities by centralizing log data from various sources, such as Linux/Windows endpoints and network devices, into one place. It divides the log sources into two parts: host-centric and network-centric. The host-centric logs capture events within or related to the host, while the network-centric logs capture events when the hosts communicate with each other or access the internet. SIEM is important because it provides real-time log ingestion, alerts against abnormal activities, 24/7 monitoring and visibility, protection against threats through early detection, data insights and visualization, and the ability to investigate past incidents.

2. Log Sources and Log Ingestion

Every device in a network generates logs for different activities performed on it. Windows machines store events in the Event Viewer utility, which can be viewed and forwarded to the SIEM solution. Linux workstations store logs in various locations such as /var/log/httpd, /var/log/cron, and /var/log/auth.log, which are also sent to the SIEM solution. Web servers store Apache logs in /var/log/apache or /var/log/httpd. To ingest these logs into the SIEM solution, common methods include using an agent or forwarder, syslog protocol, manual upload, and port-forwarding.

· Why SIEM

Is a critical component of a Security Operations Center (SOC) and helps to detect and protect against the latest cyber threats in real-time. It provides visibility into network activity by collecting logs from various sources and analyzing them for potential threats. SIEM is capable of correlation between events, network and host-centric activity monitoring, investigation of latest threats, and hunting for threats not detected by rules. The SOC Analysts use SIEM to monitor and investigate network activity, identify false positives, tune rules, report and comply with regulations, and identify and cover blind spots in network visibility.

· Analysing Logs and Alerts

SIEM tool to collects security-related logs and examines them for suspicious behavior or patterns by matching the conditions set in the correlation rules, If the conditions are met, a rule is triggered and the incident is investigated.
The SIEM data is presented in the form of actionable insights through dashboards, which summarize the analysis.

- Alert Highlights

- System Notification

- Health Alert

- List of Failed Login Attempts

- Events Ingested Count

- Rules triggered

- Top Domains Visited

Correlation rules, which are logical expressions, play a crucial role in the timely detection of threats. Alert investigation involves examining the events/flows associated with a triggered alert, determining if it’s a true or false positive, and taking appropriate action.
#AlgonquinCollege
#TryHackMe