CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

SIEM and Event Correlation

  • Correlating events might yield unexpected conclusions

  • What is a SIEM?

    • Security information and event management

    • Set of tools for :

      • Log and alert storage

      • Log analysis, learning, baselining, patter-matching and deviations

      • Log correlation

      • High level overview of security posture

      • Splunk, ArcSight, ELK Stack, IBM qRadar, Alienvault, Graylog

  • SIEM alerts

    • The SIEM is just another box that generates alerts…

    • False positives, false negative?

  • Alerts should be fired for suspicious events or sets of conditions, also known as a “use case”:

    • The data source

    • The query string

    • Action triggered by the event

  • SIEM Use Case Matching

    • When a matching event is found, a SIEM should capture:

      • When the event started

      • Who was involved

      • What happened

      • Where the event happened

      • Where the event originated

  • SIEM Sources

    • A SIEM can collect data from:

      • Agents on hosts/servers

      • Built-in listeners or collectors (standard syslog, SNMP traps, netflow variants

      • Sensor for network traffic.

  • Normalization

    • Consistency – all events have to look the same

    • Issue: 100s of vendors, appliances, standards, formats..

      • Logs in txt vs binary or CSV vs TSV

      • JSON vs XML

      • Character encoding mismatch

      • Windows vs Linux newlines

      • SNMP MIBs from various vendors

    • Vendor plugins are used for format normalization

    • Timestamp normalization

  • Analysis and Detection

    • Rule-matching

      • If-then-else static approach

      • Fast

      • Useless for unknown threats

    • Heuristic rule matching

      • A more “permissive” if-then-else

      • Heuristics > fuzzy matching > machine learning

      • Approach based on constantly refining rules

    • Behavioral analysis

      • Build a baseline, define how normal looks like

      • Statistical model, requires human intervention for fine tuning

    • Anomaly analysis

      • Look for a well-known expected outcome

      • Example: RFC deviations

    • Trend analysis

      • Look at historical patterns

      • Based on predictions, but they must be trusted

  • SIEM Rules

    • Start from a predefined set of rules

    • Customization is required to match each environment

    • Rule: Statement that matches conditions by:

      • Numerical values

      • String comparison

      • Set membership

      • Unified AND/OR operations

    • Sometimes similar to database (SQL) queries

    • String searching – filtering text information in logs

    • Regular expressions

      • GREP supports regex.

      • Cut can help filter

      • Sort

      • Piping chains commands.

        • Grep | cut | sort

      • Head – first 10 lines

      • Tail – Last 10 lines

      • Gawk – for extracting info

    • Wmic on windows

    • Powershell: Get-EventLog

PreviousLog Analysis & Continuous Security MonitoringNextMalware Analysis

Last updated 2 years ago