SIEM and Enrichment

Open Source SIEMs

• Elastic Stack: Kibana - One of the most popular and flexible tools our there, Elastic stack is a data mining platform where you can parse logs of all kinds for all different purposes. Kibana, is the SIEM application within Elastic Stack. It comes with an event manager, alerting tools, and event a set of default alerting use cases.

  • Download Elastic Agent Free - Beyond logs sent to Elastic Stack, there is also an installable agent that be used as a sensor for endpoint collecting logs .

  • SIEMonster | Affordable Security Monitoring Software Solution - An all in one VM that has Elastic stack as well as all of the other logging and alerting tools you might want

  • Cyber Wardog Lab: Building a Sysmon Dashboard with an ELK Stack

  • Elasticsearch: The Definitive Guide (fork it on GH)

  • https://training.elastic.co/learn-from-home*

• Greylog - Greylog is a fantastically flexible logging solution that also has its own security correlation engine with Greylog Illuminate.

  • Enhance Windows Security with Sysmon, Winlogbeat and Graylog | Graylog

• MozDef: The Mozilla SIEM - An interesting product from the makers of everyone's favorite opensource web browser, MozDef has been built to be a SIEM focused around automation and expediency of addressing of security alerts.

  • https://mozdef.readthedocs.io/en/latest/overview.html

• OSSIM: The Open Source SIEM | AlienVault - OSSIM is a super handy security platform that focuses less on the data mining and more of the security alerting. It has an incredibly easy to use security rule generation tool and also can perform cross correlation between data sources.

Splunk

Splunk is the industry leader in data mining and security monitoring,. It is an incredible tool, with unparalleled ability to parse, correlate, and present your data, as well as an unparalleled price tag!

• SplunkTools - A collection of scripts useful in management of Splunk deployment

• Fuzzy Searching for Splunk

Data Enrichment

With most SIEMs you can add in plugins or apps that can perform a myriad of supporting functions. Some can help you normalize your data and make it CIM Compliant, some can provide more context to your data, and some can even add more options for detection and analysis.

• DNS Lookups - A simple lookup can ad much needed visibility to an investigation

  • Forward lookup - Uses DNS A records to map a domain to an IP address

  • Reverse lookup - Uses DNS PTR records to return a domain list for a given IP address.

• WHOIS/RDAP lookups - Incredibly under used utility. Can add many helpful data points to an indicator.

• Geolite2 Geolocation Database - Geolite2 is a free database that gives geolocation data for the IP addresses searching within it. This is a great for looking into where your users are logging in from, or from which countries are you being attacked. This database is updated every month. If you need a more accurate query, you can pay for their premium service with runs queries against their updated database. This tool also adds ASN support which is unfortunately absence in many SIEMs.

• Popular Domain Lists - There are many public services that will pull a list of top domains searched across the internet. While you should NOT use these as a whitelist, they are super handy for identifying oddball suspicious domains.

  • Alexa Top 1 Million Domains

  • Majestic Millions

  • Cisco Umbrella Top 1 Million

• Pre-loaded data - These are files and sets of data that can be used for reference, comparison, or enhancement. These can be white/black lists, the above domain lists, Mitre attack tables, or anything you might want to use. For easy storage and later recal, we can use a utility like Memcached for storing key-value pair knowledge objects.

• Threat Intelligence - Please see the Intelligence Section of this guide.

• Fuzzy Searching - For SIEMs that do not have integrated fuzzy searching ability, tools like fuzzywuzzy uses python to calculate Levenshtien distance for fuzzy searching of strings up to a couple characters different from the searched string.

• APIify - First and foremost on the list, APIify is a fantastic tool that you can apply to just about every security tool you have that doesn't have its own API. It essentially takes any standalone Binary and wraps it into a cached web server. Super handy for being able to integrate the functions of your favorite tools into your SIEM.

• Domain_stats - Combine this with the above APIify tool to be able to dynamically pull out useful information on your domains that might raise a security eyebrow. Honestly, every tool Mark Bagget creates is gold.

• DNSDB - DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. Wonderful tool to really dig into your DNS traffic and create some in depth detection use cases.

  • DNSDB Cheatsheet

• PRADS: Passive Real-time Asset Detection System - PRADS is a tool that can passively build an asset list with useful details like operating system and open ports. When you do not have access to an asset list or CMDB from the engineering team, this can be a huge help when adding context to security investigations.

• hallucinate - One-stop TLS traffic inspection and manipulation using dynamic instrumentation.

• phishing_catcher - Catch possible phishing domains in near real time by looking for suspicious TLS certificate issuances reported to the Certificate Transparency Log (CTL) via the CertStream API.

• guac - Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

• Threat Hunting with Elastic Stack: Enriching Data to Make Intelligence - pg. 329