Professional Documents
Culture Documents
Security information and event management tools are for registering logs/events in live for
analysing.
It's all about logs. Means, for every activity in networking devices, they register logs. Like
who entered into the device, who configured, who sent the request etc.
In log, we find source ip, destination ip, log time and some related information.
For example, if any attacker tries to enter into our network, that activity should be logged.
Based on the predefined rules, firewall checks that ip, if that ip is not in ACL ( access control
list ), it blocks that ip. But if an attacker comes with a new ip, it allows it. This comes under
ZERO-DAY EXPLOITS. So if we monitor logs 24/7, we can analyse logs in live and take
particular action to enhance security.
There are so many SIEM Tools in the market. First we will look into SPLUNK.
SPLUNK
Splunk has two features.
1. Data analytics
2. SIEM Operation
● Data analytics means logging every activity. After that, logged data is used to analyse
the security.
● SIEM Operation is also the same.
Firewalls, anti virus, proxy, ips, ids all these are log the data and stored. This logged data is
not standardised. Means, logging format is unique for device and provider. The person who
has familiarity with that particular device, he/she can only understand the logs. It's a waste of
time. Because, in that analysing time, the attacker can do his/her attack and leaves the
network. So, analysing historical logs is no use. So, we need to analyse logs in live. Splunk
helps with this.
Purpose
● Index data
● Search & investigate
● Add knowledge base
● Monitor & alert
● Report & analyse
Search functionality
● Enter the search term in the search bar and select the time span for the results. If
you are searching for failed login attempts, simply search ‘failed’. It will show the
failed logs in the selected timespan.
● JOB, print and share options are for giving data access to others. Set permissions
and share links.
● SMART MODE is default mode for searching. You can change it to fast and verbose
mode.
● Those GREEN BARS are for selecting a particular time frame for results. Just drag
those green lines for the required time.
● Total EVENTS are listed in the events tab.
● PATTERNS tab is for generating patterns. Means it generates attack patterns for
simple understanding.
● TABLE VIEW is for watching these results in tabular form. Once try this.
Exploring events
Searching language
Using fields
● SELECTED FIELDS are the most important fields for your search and these are
default.
● INTERESTED FIELDS are the fields that have 20% results in the events.
● ‘A’ denotes string value.
● ‘#’ denotes numeral.