• SIEM (Security Information and Event Management system): a core security solution for a SOC analyst.

Task 2- Logs Everywhere, Answers Everywhere:

  • Log sources: host-centric (occur within or are related to the host) and network-centric log sources (generated when the hosts communicate with each other or access the internet).
None

Task 3 - Why SIEM?

  • SIEM collects logs from various types of log sources, standardizes their format into a consistent one, correlates them, and detects malicious activities using detection rules.
  • Features of SIEM: centralized log collection, normalization and correlation of logs, real-time alerting, and dashboards and reporting.

Task 4 - Log sources and ingestion:

  • Log sources: the devices on the network that generate logs.
  • Windows Event Viewer: Records every event that can be viewed and assigns a unique ID to each type of log activity, making it easy for the analyst to examine and keep track of.
  • Linux Machine: The Linux OS stores all the related logs, such as events, errors, etc. These are then ingested into SIEM for continuous monitoring.
  • Web Server: It is important to monitor all requests/responses coming in and out of the web server for any potential web attack attempt.
  • Log ingestion: Agent / Forwarder (provide a lightweight tool called an agent (forwarder by Splunk) that gets installed on the endpoint), Syslog (protocol to collect data from various systems and send real-time data to the centralized destination), Manual Upload (allow users to ingest offline data for quick analysis), and Port-Forwarding (listen on a certain port, and then the endpoints forward the data to the SIEM instance on the listening port).
None

Task 5 - Alerting Process and Analysis:

  • Detection rules: rules that are configured in SIEM to detect threats through a logical series of events like multiple failed login attempts in 5 minutes.
  • Alert investigation:. Once an alert is triggered, the events/flows associated with the alert are examined, and the rule is checked to see which conditions are met. Based on the investigation, the analyst determines if it's a true or false positive.
None

Task 6 - Lab Work:

  • This lab uses a simulated site for this activity.
None
  • Click "Start activity"; it shows a dashboard with the option to "Start suspicious activity." When clicked, it shows the answer to this question.
None
None
  • Click on "find event," then click on "cudominer.exe." It shows the following dashboard.
None
  • "C:\Users\Chris\temp\cudominer.exe." "C:\Users\Chris\temp\cudominer.exe."Click on "find the event" and then analyze all the fields of data. Identify that user "Chris" has the process name "C:\Users\Chris\temp\cudominer.exe."
None
None
None
None
  • Select the "chris" row and click "proceed."
None
  • Click on "go to analysis/action" after understanding the enforced rule.
None
None
  • Select "true positive" as the activity is suspicious.
None
None
None
  • The activity has been successfully completed.

Task 7 - Conclusion:

  • processes,This room gave me insights on the working of a SIEM, it's essential processes as well as its key role in log analysis.
  • Itit also gave me more insights into the role of a SOC analyst in monitoring security threats and investigating warnings with the help of the SIEM.
None