SIEM and Enrichment

Open Source SIEMs

Splunk is the industry leader in data mining and security monitoring,. It is an incredible tool, with unparalleled ability to parse, correlate, and present your data, as well as an unparalleled price tag!

Data Enrichment

With most SIEMs you can add in plugins or apps that can perform a myriad of supporting functions. Some can help you normalize your data and make it CIM Compliant, some can provide more context to your data, and some can even add more options for detection and analysis.

  • DNS Lookups - A simple lookup can ad much needed visibility to an investigation

    • Forward lookup - Uses DNS A records to map a domain to an IP address

    • Reverse lookup - Uses DNS PTR records to return a domain list for a given IP address.

  • WHOIS/RDAP lookups - Incredibly under used utility. Can add many helpful data points to an indicator.

  • Geolite2 Geolocation Database - Geolite2 is a free database that gives geolocation data for the IP addresses searching within it. This is a great for looking into where your users are logging in from, or from which countries are you being attacked. This database is updated every month. If you need a more accurate query, you can pay for their premium service with runs queries against their updated database. This tool also adds ASN support which is unfortunately absence in many SIEMs.

  • Popular Domain Lists - There are many public services that will pull a list of top domains searched across the internet. While you should NOT use these as a whitelist, they are super handy for identifying oddball suspicious domains.

  • Pre-loaded data - These are files and sets of data that can be used for reference, comparison, or enhancement. These can be white/black lists, the above domain lists, Mitre attack tables, or anything you might want to use. For easy storage and later recal, we can use a utility like Memcached for storing key-value pair knowledge objects.

  • Threat Intelligence - Please see the Intelligence Section of this guide.

  • Fuzzy Searching - For SIEMs that do not have integrated fuzzy searching ability, tools like fuzzywuzzy uses python to calculate Levenshtien distance for fuzzy searching of strings up to a couple characters different from the searched string.

  • APIify - First and foremost on the list, APIify is a fantastic tool that you can apply to just about every security tool you have that doesn't have its own API. It essentially takes any standalone Binary and wraps it into a cached web server. Super handy for being able to integrate the functions of your favorite tools into your SIEM.

  • Domain_stats - Combine this with the above APIify tool to be able to dynamically pull out useful information on your domains that might raise a security eyebrow. Honestly, every tool Mark Bagget creates is gold.

  • DNSDB - DNSDB is a Passive DNS (pDNS) historical database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. Wonderful tool to really dig into your DNS traffic and create some in depth detection use cases.

  • PRADS: Passive Real-time Asset Detection System - PRADS is a tool that can passively build an asset list with useful details like operating system and open ports. When you do not have access to an asset list or CMDB from the engineering team, this can be a huge help when adding context to security investigations.

  • hallucinate - One-stop TLS traffic inspection and manipulation using dynamic instrumentation.

  • phishing_catcher - Catch possible phishing domains in near real time by looking for suspicious TLS certificate issuances reported to the Certificate Transparency Log (CTL) via the CertStream API.

  • guac - Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database—normalizing entity identities and mapping standard relationships between them. Querying this graph can drive higher-level organizational outcomes such as audit, policy, risk management, and even developer assistance.

  • Threat Hunting with Elastic Stack: Enriching Data to Make Intelligence - pg. 329

Last updated