SIEM Configuration and Attack Analysis
Security Operations Course: Hands-On Lab 1
Introduction to Security Information and Event Management (SIEM)
What is a SIEM?
A Security Information and Event Management (SIEM) system is a comprehensive solution designed to give cybersecurity professionals a macro view of an organization’s information security. It combines security information management (SIM) and security event management (SEM) to provide real-time analysis of security alerts generated by applications and network hardware.
How Does a SIEM Work?
SIEM works by collecting and aggregating log data generated throughout the organization's technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. Once the data is gathered, it is normalized, which allows the SIEM to analyze and take action on a wide array of security-related events.
How Are Alerts Forwarded to a SIEM?
Alerts are forwarded to a SIEM system through a combination of push and pull mechanisms. Devices and applications can be configured to automatically send (push) logs to the SIEM, or the SIEM can periodically collect (pull) logs from certain sources. The SIEM then correlates and analyzes these logs to identify potential security incidents.
The topology for this lab involves three key components:
- Attacker: The system from which simulated attacks will be generated.
- Wazuh Server: The central SIEM system that will collect, analyze, and manage alerts.
- Victim: The target system that will be configured to report security events to the Wazuh Server.
| SYSTEM NAME | USERNAME | PASSWORD |
| ATTACKER | root | toor |
| Wazuh Server | Admin | Passw0rd |
| Victim | Train | P@ssword |
| Web App | Username | Password |
| Wazuh | admin | P*ssw0rd |
Conclusion
In this lab, analysts will gain hands-on experience with the Wazuh SIEM system, learning how to configure alerting sources, review and analyze alerts, and document their findings. This exercise will enhance their understanding of the integral role that SIEM systems play in modern cybersecurity defense strategies.
Overview
Task Outline
Task 1: Configure Wazuh SIEM System
- Install and set up the Wazuh server.
- Validate that the Wazuh server is operational and accessible.
Task 2: Understand and Configure Logging Sources
- Identify the logs to be monitored (both on the Attacker and Victim systems).
- Configure the Victim system to forward the appropriate logs to the Wazuh server.
- Set up rules for log collection and analysis on the Wazuh server.
Task 3: Simulate Attack Scenarios
- Initiate various attack scenarios from the Attacker system.
- Ensure that the Victim system is logging the attack data.
Task 4: Review and Analyze Alerts
- Monitor the Wazuh dashboard for incoming alerts.
- Analyze the alerts to determine the nature of the incidents.
- Triage the alerts to prioritize response efforts.
Task 5: Reporting and Documentation
- Document the alert generation and response process.
- Outline the steps taken to identify and analyze each simulated attack.
- Create a report detailing the findings and recommendations for each incident.