This article will be about SIEM tools(SECURITY INFORMATION AND EVENT MANAGEMENT) tools, What are SIEM tools, How they are beneficial and how they are used in industries.
SIEM tools are the tools used for real-time analysis of the network through the logs and logs generates the alerts if any malicious thing happens in a network. SIEM tool Basically acts as a raincoat for a network in Rain. It does threat detection to prevent downtime. It tells you where the traffic is coming and you can also block traffic from a specific area to protect your network. SIEM converts logs coming from a different location in a different format in a single structured format.
Also, Read | TOP 5 Highly Paying Programming Languages of 2019
Categorizing of logs.
ACTION= FAIL + NORMALIZATION = AUUTHENTICAITON
It will give a record of all failed logins.
It is used for compressing the data in a small format.
It is a set of condition that signifies a suspicious activity.
Here are the top SIEM Tools
SPLUNK is the most powerful SIEM tool in the whole world. The thing which makes it different from the crowd is that we can customize everything in this tool. We can make correlation rules for every alert.
For Example, we can write a correlation rule for failed login attempts like if a person had done 10 failed login then an alert will pop up in an admin PC.
Splunk latest version is 7.3.0
It has three Selected fields:
- SOURCE TYPE
Host = Set-ad [It will show active directory logs]
In Splunk if you do not know any command then you can put * or “at the end of the command it will show all possible commands.
Transformation commands = Table, Dedup, Rename, Top, Rare.
Event type = 4624 for logon; 4625 failed to login;4634 account logged off
There are different logs which we monitor in SIEM Tools
- DHCP Logs
- EPO Logs
- Proxy Logs
- AD logs
QRadar is the tool made by IBM and this is used only in IBM company by their employees. In this, all logs go through QRadar log manager. This offers a suite of analytics, log management, data collection, and intrusion detection which safeguard your network from malicious activity and keeps it up and running.
Mcafee is the Simplest SIEM tool to learn because it has a very easy and attractive GUI. It is the Best tool in term of analytics. In this tool, we can make a correlation rule with ease and also can monitor the network easily with the best GUI.
What is Security Information Management?
Security Information management is the monitoring or analysis of the logs and also collection of those logs. Basically, it is the management of the logs. It is easy to deploy.
What is Security Event Management?
Security Event management is the real-time threat analysis of an event in a network. It is more complex to deploy in real time.
After Malware Detection
Step-1 Information Gathering: Host, User, Filename, File path, Malware name, Malware type Action: clean, Delete
Step-2 If detected: Source of Malware: Email (check email with attachment) External StorageWEB (Downloaded files)
Step-3 If not detected Study the change on the host or in a network
Working of SIEM Tools
- Threat Detection
- Notification and alerts of threats
- Log collection
- Parsing of logs Network Security from malicious activity