With rising trends and forms of attacks, most organizations today deploy a Security Incident and Event Management (SIEM) solution as a proactive measure for threat management, to get a centralized view of their organization’s security posture and for advanced reporting of security incidents. This article discuss the use cases that every organization should practice at the minimum to reap the true benefits of a SIEM solution.
For this article, I will be using Splunk’s Search Processing Logic (SPL) wherever possible in the below mentioned use cases, to illustrate how they correlate among various security events. I will feed the Splunk with logs from my local machine.
About Splunk and SPL:
Splunk correlates real-time data in a searchable index from which it can generate graphs, reports, alerts, etc. SPL is a search processing language prepared by Splunk for searching, filtering, and inserting data.
Use Case 1
Detection of Possible Brute Force Attack
With the evolution of faster and more efficient password cracking tools, brute force attacks are on a high against the services of an organization. As a best practice, every organization should configure logging practices for security events such as invalid number of login attempts, any modification to system files, etc., so that any possible attack underway will get noticed and treated before the attack succeeds. Organizations generally apply these security policies via a Group Policy Object (GPO) to all the hosts in their network.
To check for brute force pattern, I have enabled auditing on logon events in the Local Security Policy and I will be feeding my System Win:Security logs to Splunk to check for a brute force pattern against local login attempts.
Below is the correlation search (SPL) that is created in Splunk against Win:Security logs to monitor real time login attempts. In this search, (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Security Ninja. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/cqtSJxptLPA/