KARIM ASHRAF SPACE.
  • Who Am I ?
  • WRITEUPS
    • What about Practice in Cyber Security?
    • Dark Side of VSCode
    • What about Cy-nix Machine?
    • Cyberdefenders Labs
      • Web Investigation Blue Team Lab
      • Red Stealer Blue Team Lab
      • WebStrike Blue Team Lab
      • BlueSky Ransomware Blue Team Lab
      • PsExec Hunt Blue Team Lab
      • OpenWire Blue Team Lab
      • 3CX Supply Chain Blue Team Lab
      • PoisonedCredentials Lab
      • Reveal Lab
    • Lets Defend
      • Incident Responder Path
        • Cybersecurity Incident Handling Guide
          • Introduction to Incident Handling
          • Incident Handling Steps
          • Preparation
          • Detection and Analysis
          • Containment, Eradication, and Recovery
          • Post-Incident Activity
        • Incident Response on Windows
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Free Tools That Can Be Used
          • Live Memory Analysis
          • Task Scheduler
          • Services
          • Registry Run Keys / Startup Folder
          • Files
          • Checklist
        • Incident Response on Linux
          • How to Create Incident Response Plan?
          • Incident Response Procedure
          • 3 Important Things
          • Users and Groups
          • Processes
          • Files and File System
          • Mounts
          • Network
          • Service
          • Cron Job
          • SSH Authorized Keys
          • Bash_rc & Bash_profile
          • Useful Log Files
        • Hacked Web Server Analysis
          • Introduction to Hacked Web Server Analysis
          • Log Analysis on Web Servers
          • Attacks on Web Servers
          • Attacks Against Web Applications
          • Vulnerabilities on Servers
          • Vulnerabilities in Programming Language
          • Discovering the Web Shell
          • Hacked Web Server Analysis Example
        • Log Analysis with Sysmon
          • Introduction and Set Up of Sysmon
          • Detecting Mimikatz with Sysmon
          • Detecting Pass The Hash with Sysmon
          • Detecting Privilege Escalation with Sysmon
        • Forensic Acquisition and Triage
          • Introduction to Forensics Acquisition and Triage
          • Acquiring Memory Image From Windows and Linux
          • Custom Image Using FTK and Mounting Image for Analysis
          • KAPE Targets for Acquisition
          • KAPE Modules for Triage and Analysis
          • Triage Using FireEye Redline
          • Acquisition and Triage of Disks Using Autopsy
        • Memory Forensics
          • What is Memory Forensics
          • Memory Analysis Procedures
        • Registry Forensics
          • Introduction to Windows Registry Forensics
          • Acquiring Registry Hives
          • Regedit and Registry Explorer
          • System, Users and Network Information
          • Shellbags
          • Shimcache
          • Amcache
          • Recent Files
          • Dialogue Boxes MRU
        • Event Log Analysis
          • Introduction to Event Logs
          • Event Log Analysis
          • Authentication Event Logs
          • Windows Scheduled Tasks Event Logs
          • Windows Services Event Logs
          • Account Management Events
          • Event Log Manipulation
          • Windows Firewall Event Logs
          • Windows Defender Event Logs
          • Powershell Command Execution Event logs
        • Browser Forensics
          • Introduction to Browser Forensics
          • Acquisition
          • Browser Artifacts
          • Tool: BrowsingHistoryView
          • Manual Browser Analysis
          • Hindsight Framework
        • GTFOBins
          • Introduction to GTFOBins
          • Shell
          • Command
          • Reverse Shell
          • Bind Shell
          • File Upload
          • File Download
          • Sudo
        • Hunting AD Attacks
          • Introduction to Active Directory
          • Hunting AS-REP Roasting Attack
          • Hunting for Kerberoasting Attacks
          • Hunting for LDAP Enumerations (Bloodhound_Sharphound)
          • Hunting for NTDS Database Dumping
          • Hunting for Golden Ticket Attacks
          • Hunting for NTLM Relay Attacks
        • Writing a Report on Security Incident
          • Introduction to Technical Writing
          • Reporting Standards
          • Reporting Style
          • Report Formatting
          • Report Templates
        • How to Prepare a Cyber Crisis Management Pla
          • Introduction to Crisis Management
          • General Preparation
          • Tools
          • Backups
          • Alerts and End of Crisis
        • Advanced Event Log Analysis
          • Process Creation
          • DNS Activity
          • File/Folder Monitoring
          • BITS Client Event Log
          • Network Connections Event Log
          • MSI Event Logs
        • USB Forensics
          • Introduction to USB Forensics
          • USB Registry Key
          • USB Event Logs
          • Folder Access Analysis via Shellbags
          • File Access Analysis via Jumplists
          • Automated USB Parsers Tools
        • Windows Disk Forensics
          • SRUM Database
          • Jumplists
          • Recycle Bin Artifacts
          • RDP Cache
          • Thumbnail Cache
    • BTLO LABS
      • Bruteforce BTLO
    • The Complete Active Directory Security Handbook
      • Introduction
      • Active Directory
      • Attack Technique 1: Pass the Hash: Use of Alternate Authentication Material (T1550)
      • Attack Technique 2: Pass the Ticket: Use of Alternate Authentication Material (T1550)
      • Attack Technique 3: Kerberoasting
      • Attack Technique 4: Golden Ticket Attack
      • Attack Technique 5: DCShadow Attack
      • Attack Technique 6: AS-REP Roasting
      • Attack Technique 7: LDAP Injection Attack
      • Attack Technique 8: PetitPotam NTLM Relay Attack on a Active Directory Certificate Services (AD CS)
      • Conclusion & References
    • Windows Privilege Escalation
      • Tools
      • Windows Version and Configuration
      • User Enumeration
      • Network Enumeration
      • Antivirus Enumeration
      • Default Writeable Folders
      • EoP - Looting for passwords
      • EoP - Incorrect permissions in services
      • EoP - Windows Subsystem for Linux (WSL)
      • EoP - Unquoted Service Paths
      • EoP - $PATH Interception
      • EoP - Named Pipes
      • EoP - Kernel Exploitation
      • EoP - AlwaysInstallElevated
      • EoP - Insecure GUI apps
      • EoP - Evaluating Vulnerable Drivers
      • EoP - Printers
      • EoP - Runas
      • EoP - Abusing Shadow Copies
      • EoP - From local administrator to NT SYSTEM
      • EoP - Living Off The Land Binaries and Scripts
      • EoP - Impersonation Privileges
      • EoP - Privileged File Write
      • References
      • Practical Labs
    • Advanced Log Analysis
      • Key Windows Event IDs for Cybersecurity Monitoring
      • Analyzing a Series of Failed Login Attempts from Multiple IP Addresses
      • Steps to Investigate Suspicious Outbound Network Traffic
      • Identifying and Responding to Lateral Movement within a Network
      • Distinguishing Between Legitimate and Malicious PowerShell Executions
      • Detecting and Analyzing a Potential Data Exfiltration Incident Using Log Data
      • Steps to Analyze PowerShell Logging (Event ID 4104) for Malicious Activity
      • How to Identify an Internal Pivot Attack Using Log Data
      • Indicators in Logs Suggesting a Privilege Escalation Attack
      • How to Detect Command and Control (C2) Communication Using Log Analysis
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Analyze Logs to Detect a Brute-Force Attack on an RDP Service
      • How to Detect the Use of Living-Off-the-Land Binaries (LOLBins) in Logs
      • How to Detect Malware Masquerading as a Legitimate Process Using Log Analysis
      • How to Detect and Analyze Lateral Movement Using Windows Event Logs
      • How to Detect Potential Ransomware Attacks in Their Early Stages Using Log Analysis
      • How to Detect and Analyze Privilege Escalation Using Windows Event Logs
      • How to Detect the Use of Mimikatz or Similar Tools in Log Data
      • How to Detect and Analyze DNS Tunneling Through Log Analysis
      • How to Detect a Pass-the-Hash (PtH) Attack Using Logs
      • How to Detect and Analyze an Attacker’s Use of a Remote Access Trojan (RAT) Using Log Data
      • How to Detect Lateral Movement Using Windows Event Logs
      • How to Detect and Investigate Data Exfiltration Using Logs
      • How to Identify and Analyze an Internal Phishing Campaign Using Email and System Logs
      • How to Detect and Analyze Ransomware Activity Using Logs
      • How to Detect Malicious PowerShell Activity Using Log Analysis
      • How to Detect and Respond to Brute-Force Attacks Using Log Data
      • How to Detect Privilege Escalation Attempts Using Windows Event Logs
      • How to Detect and Analyze Suspicious Domain Name Resolution Requests in DNS Logs
      • How to Detect and Respond to Unauthorized Access to Critical Files
      • How to Detect and Analyze Suspicious PowerShell Command Execution
      • How to Detect and Investigate Account Takeover (ATO) Attempts Using
      • How to Detect and Analyze the Use of Living Off the Land Binaries (LOLBins)
      • How to Detect and Investigate Lateral Movement
      • How to Detect and Investigate Data Exfiltration
      • How to Detect and Analyze Suspicious Activity Involving Service Accounts
      • How to Detect and Investigate Anomalous PowerShell Activity Related to Credential Dumping
      • How to Detect and Analyze the Execution of Unsigned or Malicious Executables
      • How to Detect and Investigate Abnormal Spikes in Network Traffic
    • Methods for Stealing Password in Browser
      • Important Tables and Columns
      • Important Queries
      • Profiles
      • Tools
        • HackBrowserData
        • Browser-password-stealer
        • BrowserPass
        • WebBrowserPassView
        • Infornito
        • Hindsight
        • BrowserFreak
        • BrowserStealer
    • Hack The Box Tracks
      • Soc Analyst Path 2024
        • 1. Incident Handling Process
          • Incident Handling Definition & Scope
          • Incident Handling's Value & Generic Notes
          • Cyber Kill Chain
          • Incident Handling Process Overview
          • Preparation Stage (Part 1)
          • Preparation Stage (Part 2)
          • DMARC
          • Endpoint Hardening (& EDR)
          • Network Protection
          • Privilege Identity Management / MFA / Passwords
          • Vulnerability Scanning
          • User Awareness Training
          • Active Directory Security Assessment
          • Purple Team Exercises
          • Detection & Analysis Stage (Part 1)
          • Initial Investigation
          • Incident Severity & Extent Questions
          • Incident Confidentiality & Communication
          • Detection & Analysis Stage (Part 2)
          • The Investigation
          • Initial Investigation Data
          • Creation & Usage Of IOCs
          • Identification Of New Leads & Impacted Systems
          • Data Collection & Analysis From The New Leads & Impacted Systems
          • Containment
          • Eradication
          • Recovery
          • Post-Incident Activity Stage
          • Reporting
        • 2. Security Monitoring & SIEM Fundamentals
          • What Is SIEM?
          • The Evolution Of SIEM And How It Works
          • SIEM Business Requirements & Use Cases Log Aggregation & Normalization
          • Data Flows Within A SIEM
          • What Are The Benefits Of Using A SIEM Solution
          • What Is the Elastic Stack?
          • The Elastic Stack As A SIEM Solution
          • How To Identify The Available Data
          • The Elastic Common Schema (ECS)
          • SOC Definition & Fundamentals
          • Evolution of Security Operations Centers (SOCs)
          • What Is MITRE ATT&CK?
          • What Is A SIEM Use Case?
          • How To Build SIEM Use Cases
          • SIEM Visualization Example 1: Failed Logon Attempts (All Users)
          • SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
          • SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts
          • SIEM Visualization Example 4: Users Added or Removed from a Local Group
          • What Is Alert Triaging?
  • COURSES SUMMARY
    • TCM SEC
      • TCM linux Privilege Escalation
      • TCM OSINT
    • The SecOps Group
      • Certified AppSec Practitioner exam
      • CNSP Review
    • Cybrary
      • Cybrary Offensive Pentesting
  • TIPS&TRICKS
    • Windows Shorcuts Arrow Remover
    • Kali KEX
    • Intel TurboBoost
    • Pentest_Copilot
    • Ferdium
    • Youtube Adblock_Bybass
    • Burb-Bambdas
    • Burb Customizer
    • BetterFox
Powered by GitBook
On this page
  • Data Flows Within a SIEM
  • 1. Data Ingestion (Data Collection)
  • 2. Data Normalization and Aggregation
  • 3. Correlation and Analysis
  • 4. Detection Rules, Dashboards, and Alerts
  • 5. Incident Response
  • Summary of Data Flow in a SIEM
  • Why This Process Matters
  1. WRITEUPS
  2. Hack The Box Tracks
  3. Soc Analyst Path 2024
  4. 2. Security Monitoring & SIEM Fundamentals

Data Flows Within A SIEM

Data Flows Within a SIEM

Understanding how data moves through a SIEM system is essential for grasping its functionality and effectiveness in threat detection and response. Below is a step-by-step breakdown of the data flow within a SIEM:

1. Data Ingestion (Data Collection)

  • What Happens:

    • SIEM solutions ingest logs and events from various data sources across the IT infrastructure.

    • These sources include:

      • Network Devices: Firewalls, routers, switches, proxies.

      • Endpoints: PCs, laptops, servers, mobile devices.

      • Applications: Custom applications, ERP systems, CRMs.

      • Cloud Environments: AWS, Azure, Google Cloud.

      • Security Tools: IDS/IPS, antivirus software, EDR tools.

    • Each SIEM tool has unique capabilities for collecting logs, depending on its integrations and connectors.

  • Key Terms:

    • Data Ingestion: The process of collecting raw logs and events from diverse sources.

    • Connectors/APIs: SIEM tools use connectors or APIs to pull data from different sources.

  • Example:

    • A firewall generates logs for blocked traffic, which are sent to the SIEM via Syslog or an API.

2. Data Normalization and Aggregation

  • What Happens:

    • The raw data collected from various sources is often in different formats (e.g., JSON, XML, plain text).

    • The SIEM processes and normalizes this data into a common format that can be understood by the correlation engine.

    • Normalization ensures consistency and enables meaningful analysis.

    • Data is also aggregated to reduce redundancy and noise.

  • Key Terms:

    • Data Normalization: Converting raw logs into a standardized format (e.g., mapping fields like timestamps, IP addresses, and event types).

    • Data Aggregation: Combining similar events or logs to streamline analysis.

  • Example:

    • Logs from a Windows server and a Linux server are normalized into a unified format with fields like "timestamp," "source IP," "destination IP," and "event type."

3. Correlation and Analysis

  • What Happens:

    • The normalized and aggregated data is fed into the SIEM's correlation engine.

    • The correlation engine applies rules, algorithms, and machine learning to identify patterns, anomalies, and potential threats.

    • This process involves:

      • Cross-referencing events from multiple sources.

      • Detecting relationships between seemingly unrelated activities.

      • Identifying indicators of compromise (IOCs) or suspicious behavior.

  • Key Terms:

    • Correlation Rules: Predefined rules that connect events to detect threats (e.g., multiple failed login attempts followed by a successful login).

    • Machine Learning: Advanced analytics to detect anomalies based on historical data.

  • Example:

    • A correlation rule detects a brute-force attack by linking multiple failed login attempts from different IPs targeting the same server.

4. Detection Rules, Dashboards, and Alerts

  • What Happens:

    • SOC teams use the processed data to create:

      • Detection Rules: Custom rules to identify specific threats or behaviors.

      • Dashboards: Visual representations of security metrics and trends.

      • Alerts: Notifications triggered when specific conditions are met.

      • Incidents: Grouped alerts that indicate a potential security breach.

    • These tools enable SOC teams to:

      • Monitor the organization's security posture in real-time.

      • Identify potential risks and respond swiftly to incidents.

  • Key Terms:

    • Detection Rules: Logic-based rules that trigger alerts when certain conditions are detected.

    • Dashboards: Graphical interfaces that display key security metrics (e.g., number of alerts, top attack vectors).

    • Alerts: Notifications sent to SOC teams for investigation.

  • Example:

    • A dashboard shows a spike in failed login attempts across multiple servers, triggering an alert for potential credential stuffing.

5. Incident Response

  • What Happens:

    • When an alert is generated, SOC teams investigate the incident using the SIEM's forensic capabilities.

    • The SIEM provides detailed logs, timelines, and contextual information to aid in the investigation.

    • Based on the findings, SOC teams take appropriate actions, such as:

      • Isolating compromised systems.

      • Blocking malicious IPs.

      • Patching vulnerabilities.

  • Key Terms:

    • Forensics: Detailed analysis of logs and events to understand the scope and impact of an incident.

    • Incident Response: Actions taken to mitigate and resolve security incidents.

  • Example:

    • An alert indicates a malware infection on a workstation. The SOC team isolates the device, removes the malware, and investigates the root cause.

Summary of Data Flow in a SIEM

  1. Data Ingestion: Logs and events are collected from various sources.

  2. Data Normalization and Aggregation: Raw data is standardized and consolidated into a common format.

  3. Correlation and Analysis: Normalized data is analyzed to detect patterns, anomalies, and potential threats.

  4. Detection Rules, Dashboards, and Alerts: SOC teams use the processed data to create rules, visualizations, and alerts for monitoring and response.

  5. Incident Response: Alerts are investigated, and appropriate actions are taken to mitigate threats.

Why This Process Matters

  • Centralized Visibility: By ingesting and normalizing data from diverse sources, SIEM provides a unified view of the organization's security posture.

  • Proactive Threat Detection: Correlation and analysis enable early detection of threats before they escalate.

  • Efficient Incident Response: Dashboards, alerts, and forensic data empower SOC teams to respond quickly and effectively.

  • Scalability: SIEM systems can handle large volumes of data, making them suitable for organizations of all sizes.

PreviousSIEM Business Requirements & Use Cases Log Aggregation & NormalizationNextWhat Are The Benefits Of Using A SIEM Solution

Last updated 2 months ago