SIEM Implementation and Log Analysis

Introduction

SIEM systems serve as a centralized hub for collecting and analyzing security event data from various sources within an organization's IT infrastructure. They aggregate and normalize this data, providing a unified view of the organization's security posture. Through real-time analysis, SIEM systems help detect and respond to security threats promptly, enhancing overall cybersecurity resilience.

Deployment and Configuration

To enhance the security posture of our systems, we've deployed Wazuh for centralized log analysis. Below are the steps we've taken

Installation and Configuration:

• Installed Wazuh agents on relevant systems, including both Windows and Linux devices.
• Selected a cloud-based Linux system and a Windows system running on VirtualBox as agent devices.
• Configured the Wazuh server to capture all incoming logs from the agents.

Log Source Configuration:

• Configured log sources to send data to the Wazuh server for analysis.
• Utilized Sysmon on Windows systems to track code behavior and network traffic, enhancing our ability to detect malicious activities.

Customization and Tuning

Customizing and tuning rules in the Wazuh dashboard is crucial for making sure the system works well for your organization. It helps reduce false alarms by adjusting the rules to fit your specific security needs. By doing this, you can make sure the system focuses on detecting the most important threats for your organization's setup. This process also helps improve the accuracy of threat detection and makes the system run more smoothly by using resources more efficiently. Plus, it allows your organization to stay ahead of new threats by adapting the rules to changing attack methods. Overall, customizing and tuning rules in Wazuh are essential for making the system work effectively for your security needs.

Rule Customization:

• Leveraged the "Original File Name" field in event logs to tailor detection rules and alerts according to specific security requirements.
• For instance, utilized this field to create custom rules aimed at detecting the presence of Mimikatz, a known credential dumping tool.

Enhanced Detection:

• Ensured that our detection rules are finely tuned to identify suspicious activities, such as process creations indicative of potential threats.
• Regularly reviewed and updated detection rules to adapt to evolving threat landscapes and system-specific security needs.