# SIEM and Event Correlation * Correlating events might yield unexpected conclusions * What is a SIEM? * Security information and event management * Set of tools for : * Log and alert storage * Log analysis, learning, baselining, patter-matching and deviations * Log correlation * High level overview of security posture * Splunk, ArcSight, ELK Stack, IBM qRadar, Alienvault, Graylog * SIEM alerts * The SIEM is just another box that generates alerts… * False positives, false negative? * Alerts should be fired for suspicious events or sets of conditions, also known as a “use case”: * The data source * The query string * Action triggered by the event * SIEM Use Case Matching * When a matching event is found, a SIEM should capture: * When the event started * Who was involved * What happened * Where the event happened * Where the event originated * SIEM Sources * A SIEM can collect data from: * Agents on hosts/servers * Built-in listeners or collectors (standard syslog, SNMP traps, netflow variants * Sensor for network traffic. * Normalization * Consistency – all events have to look the same * Issue: 100s of vendors, appliances, standards, formats.. * Logs in txt vs binary or CSV vs TSV * JSON vs XML * Character encoding mismatch * Windows vs Linux newlines * SNMP MIBs from various vendors * Vendor plugins are used for format normalization * Timestamp normalization * Analysis and Detection * Rule-matching * If-then-else static approach * Fast * Useless for unknown threats * Heuristic rule matching * A more “permissive” if-then-else * Heuristics > fuzzy matching > machine learning * Approach based on constantly refining rules * Behavioral analysis * Build a baseline, define how normal looks like * Statistical model, requires human intervention for fine tuning * Anomaly analysis * Look for a well-known expected outcome * Example: RFC deviations * Trend analysis * Look at historical patterns * Based on predictions, but they must be trusted * SIEM Rules * Start from a predefined set of rules * Customization is required to match each environment * Rule: Statement that matches conditions by: * Numerical values * String comparison * Set membership * Unified AND/OR operations * Sometimes similar to database (SQL) queries * String searching – filtering text information in logs * Regular expressions * GREP supports regex. * Cut can help filter * Sort * Piping chains commands. * Grep | cut | sort * Head – first 10 lines * Tail – Last 10 lines * Gawk – for extracting info * Wmic on windows * Powershell: Get-EventLog --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cysa.coantech.net/siem-and-event-correlation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.