Scribd Logo
Upload

Welcome to Scribd!

  • SIEM Tools

    Uploaded by

    minojnext
    6 views6 pages

    Original Title

    SIEM tools

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views6 pages

    SIEM Tools

    Uploaded by

    minojnext

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    SIEM tools

    Security information and event management tools are for registering logs/events in live for
    analysing.

    It's all about logs. Means, for every activity in networking devices, they register logs. Like
    who entered into the device, who configured, who sent the request etc.

    In log, we find source ip, destination ip, log time and some related information.

    For example, if any attacker tries to enter into our network, that activity should be logged.
    Based on the predefined rules, firewall checks that ip, if that ip is not in ACL ( access control
    list ), it blocks that ip. But if an attacker comes with a new ip, it allows it. This comes under
    ZERO-DAY EXPLOITS. So if we monitor logs 24/7, we can analyse logs in live and take
    particular action to enhance security.

    There are so many SIEM Tools in the market. First we will look into SPLUNK.

    SPLUNK
    Splunk has two features.
    1. Data analytics
    2. SIEM Operation

    ● Data analytics means logging every activity. After that, logged data is used to analyse
    the security.
    ● SIEM Operation is also the same.

    Firewalls, anti virus, proxy, ips, ids all these are log the data and stored. This logged data is
    not standardised. Means, logging format is unique for device and provider. The person who
    has familiarity with that particular device, he/she can only understand the logs. It's a waste of
    time. Because, in that analysing time, the attacker can do his/her attack and leaves the
    network. So, analysing historical logs is no use. So, we need to analyse logs in live. Splunk
    helps with this.

    What splunk do is:


    ● It integrates all logs
    ● Then it parses those logs ( parses means putting all those logs in orderwise/table
    format )
    ● Now it normalises the logs ( means it converts all logs into one standard
    understandable format )

    Common field set name in SPLUNK is - CIM ( common information model )


    Roles
    ● Administrator: can install apps, ingest data and create knowledge objects for all users
    ● Power role: can create and share knowledge objects to all users and perform
    real-time searches
    ● User role: can only see their own knowledge objects

    Purpose
    ● Index data
    ● Search & investigate
    ● Add knowledge base
    ● Monitor & alert
    ● Report & analyse

    Search functionality

    ● Enter the search term in the search bar and select the time span for the results. If
    you are searching for failed login attempts, simply search ‘failed’. It will show the
    failed logs in the selected timespan.
    ● JOB, print and share options are for giving data access to others. Set permissions
    and share links.
    ● SMART MODE is default mode for searching. You can change it to fast and verbose
    mode.
    ● Those GREEN BARS are for selecting a particular time frame for results. Just drag
    those green lines for the required time.
    ● Total EVENTS are listed in the events tab.
    ● PATTERNS tab is for generating patterns. Means it generates attack patterns for
    simple understanding.
    ● TABLE VIEW is for watching these results in tabular form. Once try this.
    Exploring events

    ● Your search term will be highlighted in the results.


    ● You can select other keywords in the results and add them as search keywords. This
    will filter the search results effectively.
    ● Selected fields HOST, SOURCE, SOURCETYPE are the default fields for the default
    search.
    ● Most recent events are listed first. The TIME frame is in reverse chronological order.
    It depends on the time zone.

    Searching language

    ● Search terms are not case sensitive.


    ● You can use WILDCARDS in search terms. Like, if you want the results that are
    started with FAIL, you can simply add FAIL*, it will returns all the events that are
    starting with FAIL, FAILURE, FAILED etc.,
    ● Use quotes for exact search - “failed password”
    ● Use BOOLEAN operators for search preferences. Failed NOT password - it will
    search for only failed. Failed OR password - it will search for both.
    ● When you add some data in brackets (), it will consider these brackets first.

    ● We can deeply filter out search results with PIPE.


    ● In the above query, we are searching for WSA ( web security appliance ) of Cisco in
    the NETWORK. And we are COUNTing the USAGE violated VISITS.
    ● Command reference values should be case-sensitive. In this case - usage
    ● The more you tell the search engine, the results are better.

    Using fields

    ● SELECTED FIELDS are the most important fields for your search and these are
    default.
    ● INTERESTED FIELDS are the fields that have 20% results in the events.
    ● ‘A’ denotes string value.
    ● ‘#’ denotes numeral.

    ● You can view details of any INTERESTING FIELD by clicking on it.


    ● You can generate quick REPORT and add that field to search.
    ● You can add an interesting field to SELECTED FIELDS by clicking on ‘YES’.
    ● View ALL FIELDS and change places of fields as per your search needs.
    ● Here, fields are case-sensitive and field names are not case-sensitive

    You might also like