A Beginner’s Guide to SIEM
π A Beginner’s Guide to SIEM: How It Works, Why It’s Important, and Key Concepts
π Introduction — What is SIEM?
SIEM (Security Information and Event Management) is like a security control room π₯️π for your network.
It:
π️ Collects logs from different devices
π¦ Stores them in one place
π΅️ Analyses them to detect suspicious activity
In short: SIEM helps security teams see everything happening in the network in real time ⏳ and respond quickly to threats ⚡.
π Why Network Visibility Matters
A network might have:
π» Windows & Linux computers
π️ Data servers
π A company website
π‘ A router connecting everything
Each device generates logs π when something happens — logins, file transfers, web visits.
By seeing all logs in one place, you can spot threats faster π¨.
π Types of Log Sources
π₯️ Host-Centric Logs
Logs from inside a device:
Windows Event Logs πͺ
Sysmon ⚙️
Osquery π
Examples:
π File access
π Login attempts
⚡ Program execution
π ️ Registry changes
π» PowerShell commands
π Network-Centric Logs
Logs from communication between devices or internet:
SSH π
FTP π€π₯
HTTP/HTTPS π
VPN π
Network file sharing π
π️ Log Sources and Log Ingestion
π» Windows Machines
Uses Event Viewer to record events.
Each activity has a unique Event ID.
Example: 104 → Event logs removed π️.
π§ Linux Systems
Stores logs in:
/var/log/httpd→ π Web requests & errors/var/log/cron→ ⏲️ Scheduled tasks/var/log/auth.log→ π Authentication logs/var/log/kern→ ⚙️ Kernel events
π Web Servers
Apache logs stored in /var/log/apache or /var/log/httpd track requests/responses — useful for detecting attacks π‘️.
π₯ How SIEM Ingests Logs
Agent / Forwarder π¦ – Installed on devices to send logs to SIEM.
Syslog π‘ – Protocol for sending logs in real time.
Manual Upload π€ – Import offline logs for analysis.
Port-Forwarding π – SIEM listens on a port for incoming logs.
π‘️ Why SIEM is Important
π Correlates events from multiple sources.
π¨ Sends alerts on suspicious activity.
π₯️ Gives complete visibility of the network.
⏱️ Helps respond quickly to incidents.
⚙️ Key SIEM Capabilities
π Event Correlation – Linking related events.
π Visibility – Host + Network monitoring.
π΅️ Threat Investigation – Digging deeper into alerts.
πΉ Threat Hunting – Finding hidden threats.
π¨π» SOC Analysts & SIEM
SOC Analysts use SIEM for:
π Monitoring & investigating alerts
π« Finding false positives
π️ Tuning noisy rules
π Reporting & compliance checks
π¦ Identifying visibility gaps
π§ Analysing Logs and Alerts
π How Alerts are Triggered
Logs ingested π₯
Rules applied π
Condition met ✅ → Alert raised π¨
π Dashboards in SIEM
Dashboards give a quick overview:
π¨ Alert highlights
π’ System notifications
π©Ί Health alerts
❌ Failed logins
π’ Event counts
π Rules triggered
π Top visited domains
π§ Correlation Rules Examples
❌ Multiple Failed Logins → More than 5 in 10 seconds
π Login After Failures → Possible brute-force
π½ USB Insertion → Alert if restricted
π€ Large Data Transfer → Above company limits
Event Examples:
104 π️ → Event logs cleared
4688 + whoami π» → WHOAMI command detected
π΅️ Alert Investigation Steps
Review events & conditions
Decide if False Positive π« or True Positive ✅
If False Positive:
- π§ Tune rules to reduce noise
If True Positive:
π Investigate further
π Contact asset owner
π Isolate device
π« Block malicious IP
π Quick Facts
π️ Event ID for logs removed → 104
π« Alerts that may need tuning → False Positives
Comments
Post a Comment