Intro to SIEM
1. System Overview
A SIEM (Security Information and Event Management) is the central nervous system of the SOC. Without a SIEM, an analyst has to manually check the logs of every single device (Firewall, Server, Laptop). With a SIEM, all those logs are sent to one place, translated into one language, and checked automatically for threats.
- Host-Centric Logs: Events from within a single device (e.g., User Login, File Access).
- Network-Centric Logs: Events about traffic between devices (e.g., VPN connections, Firewall Allows/Denies).
2. The Data Pipeline (Architecture)
The SIEM works in stages. Understanding this pipeline is key to debugging why an alert didn't fire.
- Ingestion (Collection):
- Getting logs off the device and into the SIEM.
- Methods: Agents (Forwarders), Syslog (for network gear), or Manual Uploads.
- Key Location (Linux):
/var/log/httpd(Apache Web Logs).
- Normalization:
- Every device speaks a different language. A Windows log says "Event ID 4624" (Login). A Linux log says "Accepted password for...".
- Normalization translates both to a standard field:
Action: User_Login.
- Correlation (The Brain):
- The SIEM links events together.
- Example: "VPN Login from Russia" + "File Download" = Suspicious.
- Visualization:
- Dashboards showing trends (e.g., "Top 10 Failed Logins").
3. Correlation Rules (The Logic)
A SIEM doesn't "know" what a hack looks like. You have to teach it using Rules.
- The Logic:
IF [Condition A] AND [Condition B] THEN [Trigger Alert]. - Common Rule Types:
- Brute Force: IF
Action=Login_Failedhappens> 5 timesin1 minute-> Alert. - Log Deletion (Covering Tracks): IF
EventID=104(Log Cleared) -> Alert (Critical). - Process Execution: IF
ProcessNamecontainswhoamiORminer-> Alert.
- Brute Force: IF
4. Lab Analysis: Crypto-Mining Incident
In the lab scenario, you investigated a slow computer.
- The Trigger: An alert fired for "Suspicious Process."
- The Evidence:
- Process Name:
cudominer.exe(Mining software). - Rule Match: The SIEM rule looked for the string
miner. - User:
Chris. - Hostname:
HR_02.
- Process Name:
- Verdict: True Positive. The user (or malware) was running unauthorized mining software.
5. Operational Reality vs. Theory
- Format Issues: In the real world, logs break constantly. If an update changes a log format, the SIEM stops understanding it (Normalization failure).
- Tuning: The hardest part of the job.
- Example: You create a rule for "Log Deletion."
- Reality: The IT Admin has a script that clears logs every Sunday for maintenance.
- Fix: You must Tune the rule to say "IF Log Deletion AND User is NOT 'IT_Admin_Account'".
- Blind Spots: If you don't install an agent on a server, the SIEM is blind to it.
