What's New

Top 3 SIEM Tools & Working of SIEM Tools.

By siddhant on June 17, 2019

This article will be about Siem(SECURITY INFORMATION AND EVENT MANAGEMENT) tools, What are SIEM tools, How they are beneficial and How they are used in industries.

SIEM tools are the tools used for real-time analysis of the network through the logs and logs generates the alerts if any malicious thing happens in a network. SIEM tool Basically acts as a raincoat for a network in Rain. It does threat detection to prevent downtime. It tells you where the traffic is coming and you can also block traffic from a specific area to protect your network. SIEM converts logs coming from a different location in a different format in a single structured format.


Normalization

Categorizing of logs.

ACTION= FAIL + NORMALIZATION = AUUTHENTICAITON

It will give a record of all failed logins

Aggregation

It is used for compressing the data in a small format.

Correlation

It is a set of condition that signifies a suspicious activity


1) Splunk

Image result for splunk


SPLUNK is the most powerful SIEM tool in the whole world. The thing which makes it different from the crowd is that we can customize everything in this tool. We can make correlation rules for every alert.
For Example, we can write a correlation rule for failed login attempts like if a person had done 10 failed login then an alert will pop up in an admin PC.

Splunk latest version is 7.3.0

It has three Selected fields:



  • HOST
  • SOURCE
  • SOURCE TYPE
             Host = Set-ad        [It will show active directory logs]

In Splunk if you do not know any command then you can put * or "at the end of the command it will show all possible commands.

Transformation commands = Table, Dedup, Rename, Top, Rare.

Event type = 4624 for logon
                       4625 failed to login
                       4634 account logged off 

There are different logs which we monitor in SIEM tools like:
  • DHCP Logs
  • EPO Logs
  • Proxy Logs
  • AD logs

2) QRadar



Image result for qradar

QRadar is the tool made by IBM and this is used only in IBM company by their employees. In this, all logs go through QRadar log manager. This offers a suite of Analytics, Log management, data collection, and Intrusion detection which safeguard your network from malicious activity and keeps it up and running.


3) McAfee

Image result for mcafee siem tool


Mcafee is the Simplest SIEM tool to learn because it has a very easy and attractive GUI. It is the Best tool in term of analytics. In this tool, we can make a correlation rule with ease and also can monitor the network easily with the best GUI.


What is Security Information Management?

Security Information management is the monitoring or analysis of the logs and also collection of those logs. Basically, it is the management of the logs. It is easy to deploy.

What is Security Event Management?

Security Event management is the real-time threat analysis of an event in a network. It is more complex to deploy in real time.


After Malware Detection

Step-1   Information Gathering: Host, User, Filename, File path, Malware name, Malware type Action: clean, Delete

Step-2   If detected: Source of Malware: Email (check email with attachmentExternal StorageWEB (Downloaded files)

Step-3  If not detected Study the change on the host or in a network

Working of SIEM



SIEM Potentials

  • Threat Detection
  • Notification and alerts of threats
  • Log collection
  • Parsing of logs 
  • Network Security from malicious activity

No comments

Check out our Handpicked Products and Avail Great Discounts Now

We choose products from Amazon which provide great value and update the list daily.