In this article, I will write a write-up for Introduction to SIEM that covers Network Visibility through SIEM, Log Sources and Log Ingestion, Why SIEM, Analysing Logs and Alerts, and Lab Work.
What does SIEM stand for?
Security Information and Event Management systemIs Registry-related activity host-centric or network-centric?
host-centricIs VPN related activity host-centric or network-centric?
network-centricIn which location within a Linux environment are HTTP logs stored?
/var/log/httpdWhich Event ID is generated when event logs are removed?
104What type of alert may require tuning?
False Alarm
In the static lab attached, a sample dashboard and events are displayed. When a suspicious activity happens, an Alert is triggered, which means some events match the condition of some rule already configured. Complete the lab and answer the following questions.
Click on Start Suspicious Activity, which process caused the alert?
cudominer.exe
Find the event that caused the alert, which user was responsible for the process execution?
chris.fort
What is the hostname of the suspect user?
HR_02Examine the rule and the suspicious process; which term matched the rule that caused the alert?
miner
What is the best option that represents the event? Choose from the following:
False-Positive
True-Positive
True-Positive
Selecting the right ACTION will display the FLAG. What is the FLAG?
THM{000_SIEM_INTRO}
Thank you for reading my article. Please leave any questions or comments on improving my learning journey and the THM challenges. We can also connect more on LinkedIn or X.