SIEM (Security Information Management (SIM))
What is Regex?
Regex is a string of text that allows you to create patterns that help match, locate, and manage text. Regular expressions can also be used from the command line to find and sort specific files or data on a system.
Log Normalization? Can you explain it?
SIEM log normalization is the process of changing log formats into a format that is as similar as possible across all devices and log sources, giving the SIEM a break and allowing for more consistent searching and information breakdown. Obviously, logs from a Windows endpoint won't look the same as logs from a Linux system, but if we can match up things the best we can, the SIEM can handle the rest.
What is the Windows event ID for the special logon? Administrator logon?
4672
What is the Windows event ID for the creation of the new user account?
4720
What is host discovery?
A common method to accessing host systems is by identifying and exploiting vulnerabilities in the operating system, installed applications, and other programs. Tools such as Nessus are automated methods to evaluate systems for known vulnerabilities
What is Syslog?
Actions on many devices generate events that are logged locally for analysis, such as shutdowns, start-ups, processes, and connections. When you have a large number of devices, it becomes impractical to review these locally. System Logging Protocol (Syslog) is a standard protocol used to convey event or system log notification messages to a designated server, known as a Syslog server.
What is an API?
An API is an interface that allows interactions between multiple software instances, managing different calls and requests that can be made. If we had access to the API for our SIEM product, we could query the SIEM to retrieve information which can then be used to power dashboards, visual displays that regularly make API requests to fetch data and update the graphs to reflect metrics such as firewall allows or denies, number of login failures, number of alerts generated in the past 24 hours, and more.
What is Windows Event ID 4625?
An account failed to log on.
What is Log Indexing?
By indexing attributes that are shared by a large number of logs, it can make searching for specific attributes across large data faster compared to having to scan every single piece of data. You can index logs according to IDs or usernames. All you need to do is create an index with an attribute of your choice.
What language is used in Azure to investigate logs?
Kusto Query Language (KQL)
What is log aggregation?
Log aggregation is the process of collecting logs from multiple computing systems, parsing them, extracting structured data, and putting them together in a format that is easily searchable and explorable by modern data tools.
One example of Log Enrichment?
Log enrichment involves adding important information that can make the overall data more beneficial for security analysts when investigating alerts or unusual activity. One example could be logs that contain public IP addresses, but not their geographical location. Performing a simple lookup to see what geographical range the IP belongs to, can now immediately provide analysts with the country this IP is based in, which can aid investigations and help to build metrics.
What are logs?
Logs are detailed lists of application information, system performance statistics, or user activities. Logs can be useful for keeping track of computer use, network activity, security issues, and error reports. Every activity in your environment, from emails to logins to firewall updates, is considered a security event. Events are, (or should be,) logged to keep tabs on everything that's happening in your technology landscape
What is Normalization?
Normalization merges events containing different data into a reduced format that contains common event attributes. Most logs capture the same basic information - time, network address, operation performed, etc. Categorization involves adding meaning to events - identifying log data related to system events, authentication, local/remote operations, etc.
In the Event Viewer, what does special logon mean?
Special Logon is when an administrator logs in. We can see these are paired up, because when a user account with administrator privileges logs into Windows it requires the Logon event, then the Special Logon event.
Examples of SIEMs?
Splunk, ArcSight, QRadar, LogRhythm, Graylog
What is Sysmon?
Sysmon is a Windows system service and device driver that monitors and logs system activity to the Windows event log, but can provide more valuable information than standard Windows Event logs
Azure Monitor is able to pick up logs from what Azure services?
Virtual Machines, Virtual Networks, Azure Active Directory, Azure Security Center, as well as on-premises services.
What is WEL?
Windows Event Logs or Event Logs are files in binary format (with .evtx extension) stored locally in the Windows directory of a computer. These logs keep a detailed record of anything that happens on a Windows system, from users logging in to program execution.
What is SEM?
Security Event Management - security software specialized in the identification, collection, monitoring, evaluation, notification and correlation in real-time of events and alerts of a computer system (network devices, security systems (IDS, IPS, Firewall), specialized software (Antivirus), etc.), whose purpose is to identify "suspicious" behavior within the system, to provide an effective and timely response from the security team to any incident that occurs within the network.
What is a SIM good for?
Security Information Management helps with the collection, monitoring, and analysis of data and event logs generated from all security devices in a network (IDS, IPS, Antivirus Software, Firewalls)
What is a SIEM?
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from different resources across an organization's entire IT infrastructure. SIEM is a combination of security information management (SIM) and security event management (SEM) that uses rules and statistical correlations to help organizations detect threats and turn log entries, and events from security systems, into actionable information.
What is service enumeration?
Service enumeration is a method used to find out the service version that is available on a particular port on the target system. This version information is important, because with this information the penetration tester can search for security vulnerabilities that exist for that software version.
What is Sigma?
Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write, and applicable to any type of log file.
Benefits of Sysmon?
- Logs process creation with full command line for both current and parent processes. - Include a session GUID in each event to allow correlation of events on the same logon session. - Logs loading of drivers or DLLs with their signatures and hashes. - Optionally logs network connections, including each connection's source process, IP addresses, port numbers, hostnames, and port names. - Detects changes in file creation time to understand when a file was really created. Modification of file create timestamps is a technique commonly used by malware to cover its tracks. - Rule filtering to include or exclude certain events dynamically.
Example of SIEM rules?
1. Use of specific accounts (local administrator, administrator, domain administrator) 2. Execution from unusual locations (such as temporary directories or browser caches - may indicate malware execution or persistence mechanisms)
What is the logon type code for interactive?
2. This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You'll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain
By default, what port does a Syslog server listen for Syslog traffic on?
514
What is the purpose of the \d character class?
\d in regex will match any digit (numerical) characters.