This article will be about SIEM tools(SECURITY INFORMATION AND EVENT MANAGEMENT) tools, What are SIEM tools, How they are beneficial and how they are used in industries.

SIEM tools are the tools used for real-time analysis of the network through the logs and logs generates the alerts if any malicious thing happens in a network. SIEM tool Basically acts as a raincoat for a network in Rain. It does threat detection to prevent downtime. It tells you where the traffic is coming and you can also block traffic from a specific area to protect your network. SIEM converts logs coming from a different location in a different format in a single structured format.

Also, Read | TOP 5 Highly Paying Programming Languages of 2019

Normalization

Categorizing of logs.

ACTION= FAIL + NORMALIZATION = AUUTHENTICAITON

It will give a record of all failed logins.

Aggregation

It is used for compressing the data in a small format.

Correlation

It is a set of condition that signifies a suspicious activity.

Here are the top SIEM Tools

1. Splunk

SPLUNK is the most powerful SIEM tool in the whole world. The thing which makes it different from the crowd is that we can customize everything in this tool. We can make correlation rules for every alert.

Splunk the SEIM tools

For Example, we can write a correlation rule for failed login attempts like if a person had done 10 failed login then an alert will pop up in an admin PC.

Splunk latest version is 7.3.0

It has three Selected fields:

  • HOST
  • SOURCE
  • SOURCE TYPE

Host = Set-ad [It will show active directory logs]

In Splunk if you do not know any command then you can put * or “at the end of the command it will show all possible commands.

Transformation commands = Table, Dedup, Rename, Top, Rare.

Event type = 4624 for logon; 4625 failed to login;4634 account logged off 

There are different logs which we monitor in SIEM Tools

  • DHCP Logs
  • EPO Logs
  • Proxy Logs
  • AD logs

2) QRadar

QRadar is the tool made by IBM and this is used only in IBM company by their employees. In this, all logs go through QRadar log manager. This offers a suite of analytics, log management, data collection, and intrusion detection which safeguard your network from malicious activity and keeps it up and running.

3) McAfee

Mcafee is the Simplest SIEM tool to learn because it has a very easy and attractive GUI. It is the Best tool in term of analytics. In this tool, we can make a correlation rule with ease and also can monitor the network easily with the best GUI.

What is Security Information Management?

Security Information management is the monitoring or analysis of the logs and also collection of those logs. Basically, it is the management of the logs. It is easy to deploy.

What is Security Event Management?

Security Event management is the real-time threat analysis of an event in a network. It is more complex to deploy in real time.

After Malware Detection

Step-1 Information Gathering: Host, User, Filename, File path, Malware name, Malware type Action: clean, Delete

Step-2 If detected: Source of Malware: Email (check email with attachment) External StorageWEB (Downloaded files)

Step-3 If not detected Study the change on the host or in a network

Working of SIEM Tools

SIEM Potentials

  • Threat Detection
  • Notification and alerts of threats
  • Log collection
  • Parsing of logs Network Security from malicious activity

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.