본문 바로가기
공부/IT 기타

SIEM - LogRhythm

머리깡깡 2024. 4. 12. 06:03
728x90

  1. Log
    1. Log messages
      1. motion records generated by log sources in my environment
      2. Recorde of activity on a network
    2. Log Source = ANy system that can communicate w/ the network and provides log messages
    3. It may include user logon system shutdown, application installation, authentication failure, and more
    4. Raw log = Time consuming for an analyst to locatie and read
  2. Data Collection
    1. Where do logs come from?
      1. Security
        1. Account logon
        2. Account management
        3. Directory service access
      2. System
        1. Driver Failure
        2. IP Address Conflicts
        3. System Shutdown and Start-up
      3. Application
        1. Application crashes and hangs
        2. SSL Certificate loaded
        3. Installation failure
      4. Detection = Using the SIEM to detect a problem in the environment
  3. SIEM
    1. Meaning: When log sources speak different languages, the SIEM is your translator. Parsing and data normalization are about creating a consistent language for comparison.
    2. Metadata: Data about the data. Log messages contains data, and the SIEM can extract data about the log messages
    3. Meta data types
      1. Contextual Metadata: Parsed directly from the log message, contextual metadata is text based and descriptive
        1. Login, account, vendor message id, sender, recipient, subject, object
      2. Quantitative Metadata: Parsed directly from the log message. It can be used for numeric comparison
        1. Bytes in out, Item in out, duration, size, quantity, amt, rate
      3. Derived metadata: Using parsed metadata and relating it to the SEIM configuration info, derived metadata adds additional context
        1. Origin network, impact network, host, zone, direction
    4. Classification Types
      1. Audit : An example of an audit-oriented classification is authentication success
      2. Operations: An example of an operations oriented classification is network traffic
      3. Security : An example of a security oriented classification is reconnaissance
        1. Audit > Authentication Success > User Logoff/Logon, Computer Logoff/Logon
        2. Operations > Network Traffic > Connection Attempt, Connection Closed, Connection Lost, Connection Request
        3. Security > Network Traffic > Ping Sweep, Port Scan, Traceroute Activity, Vulnerability Scan
728x90

'공부 > IT 기타' 카테고리의 다른 글

Business Intelligence & Analytics  (0) 2024.04.25
Real Estates Photography  (0) 2024.04.18
CLF-C01: AWS Certified Cloud Practitioner 합격 후기 및 덤프 (2023)  (8) 2024.04.12
Sample Statistics  (1) 2024.04.12
CH1,2 - Social Engineering attacks  (0) 2024.04.12

'공부/IT 기타' Related Articles

티스토리툴바