In the following days, I’ll write a few blog posts explaining how to easily learn to use a Security Information and Event Management, or SIEM.
Note: In this post I use Logz.io for my examples, but I recently switched to Humio. For more details: https://www.tristandostaler.com/why-i-switched-from-logz-io-to-humio/
But what is a SIEM? As Varonis puts it:
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.Source: https://www.varonis.com/blog/what-is-siem/
To do this, I wrote the post SIEM 101 — Initial setup where I explain how to create an account on Logz.io; they offer a free account where you can send up to 1 GB / day of logs to try their platform. Time needed: around 2 minutes.
Still in the post SIEM 101 — Initial setup, I then explain how to send your logs there, whether you’re on Windows or on Linux. Time needed: around 5–10 minutes.
After that, I’ll explain the basic usage of Logz.io, how to search logs, how to create an alarm, etc. Time needed: around 30 minutes.
When all this is done, the scene will be in place to start writing blogs on detection cases, for example: receive an alert if Windows is brute forced, receive an alert if a failed logon happened on your WordPress server, etc.
I’ll eventually talk about the scripts I developed that uses Logz.io to automatically block bad IPs on my servers.
For the most advanced users, you’ll then be able to discover some useful tools the community provides, like the Sigma rules.
Follow me in my next post: SIEM 101 — Initial setup
Feel free to leave your comment down here for any questions or comments.