Online Courses
Cyber Threat Hunting
Online Courses
Cyber Threat Hunting
  • Cyber Threat Hunting
  • Introduction
    • What is cyber threat hunting?
    • Implementation considerations
    • Threat hunting models
    • Benefits of threat hunting
  • Threat Hunting Artifacts and Types
    • Artifacts and types
    • IOCs and IOAs
    • Indicators of compromise
    • Tactics, techniques and procedures (TTPs)
  • Threat hunting techniques and generative AI
    • Aggregation of data sources
    • Anomalies and baselining
      • Baselining
      • Searching
      • Grouping and clustering with AI
  • Threat hunting methodologies
    • Introduction
    • Structured hunting (MITRE)
    • Unstructured hunting
    • Entity driven hunting
  • Threat hunting data and technologies
    • Data and technologies
    • Network data
    • Endpoint data
    • Security information and event management (SIEM)
    • Threat intelligence platforms
    • Ticketing/SOAR
  • Cyber threat hunting process
    • Introduction
    • Scoping and hypothesis development
    • Formulate
    • Execution
    • Cyber threat hunting: Lessons learned
  • Cyber threat hunting scenarios
    • Structured hunt scenario
    • Unstructured hunt scenario
    • Entity-driven hunt scenario
    • Situation-driven hunt scenario
  • Hunting for network-based threats
    • Network Threats
    • DNS abnormalities
    • Hunting for DDoS activity
    • Hunting for suspicious domains
    • Hunting for irregular traffic
  • Hunting for host-based threats
    • Host-based threats
    • Malware
    • Hunting for irregular processes
    • Process hierarchy
    • Detecting lateral movement
    • Hunting for malicious files
    • Database swells
  • Quiz
Powered by GitBook
On this page
  • What is a SIEM?
  • Security Information and Event Management
  • Review
  • Collecting and centralizing data
  • How does a SIEM collect and centralize data?
  • Benefits of collecting data with a SIEM
  • Performing data analysis
  • Manual analysis
  • Automated
  • Commercial SIEM solutions
  • Advantages of using a commercial SIEM
  • Popular commercial SIEM solutions
  • Open-Source SIEM solutions
  • Advantages of using an open-source SIEM
  • Popular open-source SIEM solutions
  • Securing your SIEM
  • Why should you secure/monitor your SIEM?
  • How can you secure/monitor your SIEM?
  1. Threat hunting data and technologies

Security information and event management (SIEM)

What is a SIEM?

Security Information and Event Management

  • Combination of Security Information Management (SIM) and Security Event Management (SEM)

  • Collect and centralize logs from systems and security solutions

Review

Data centralization

Integration with data sources

Automating data analysis

Event alerting

For some SIEM solutions, threat prevention!

Collecting and centralizing data

How does a SIEM collect and centralize data?

Integrating your SIEM with data sources allows it to pull system, database, web server, firewall and other types of logs

Benefits of collecting data with a SIEM

  • Centralization (as you know)

  • Aggregation

  • Correlation

  • Removal of duplicate events

Performing data analysis

Manual analysis

  • Simpler due to centralized data

  • Singular format for data/logs

  • Reduced number of events to review

    • Due to aggregation, correlation and removal of duplicated

Automated

  • Rules governing analysis

  • Easily scan through vast amounts of data

  • Event-based alerting and threat prevention

Commercial SIEM solutions

Advantages of using a commercial SIEM

  • Pay-to-use

  • Additional features (over the free version)

  • Dedicated help personnel

  • More-frequent updates/patches

Popular commercial SIEM solutions

  • Splunk Enterprise Security (ES)

  • AlienVault Unified Security Management (USM)

  • McAfee Enterprise Security Manager (ESM)

  • IBM Security QRadar

Open-Source SIEM solutions

Advantages of using an open-source SIEM

  • Free

  • Generally, greater visibility into threat intelligence data

  • Less support

  • But you can often contribute to the tool

Popular open-source SIEM solutions

  • AlienVault Open-Source SIEM (OSSIM)

  • ELK/Elastic Stak - Elasticsearch, Logstash and Kibana

  • SIEMonster

Securing your SIEM

Why should you secure/monitor your SIEM?

SIEM controls all data from logs

If compromised, attacker gains:

  • Sensitive data

  • Extreme visibility of network/security infrastructure

How can you secure/monitor your SIEM?

  • System hardening

  • Updates and patches

  • Monitoring the monitor - similar to other sensitive servers

PreviousEndpoint dataNextThreat intelligence platforms

Last updated 9 months ago