The Importance of SIEM Logs for Threat Intelligence, Detection, and Modeling
In today’s digital landscape, cyber threats are becoming more sophisticated, and organizations must keep up with the evolving security landscape to protect their assets.
One of the most effective ways to detect and respond to security incidents is through a Security Information and Event Management (SIEM) system.
A SIEM system collects and aggregates log data from various sources within an organization’s IT infrastructure, and this data is used to provide actionable insights into potential security incidents.
In this blog post, I will go through what logs are collected by the SIEM, and why they matter for threat intelligence, intrusion/threat detection, and threat modeling.
Type of Logs collected by SIEM
A SIEM system collects logs from various sources, including network devices, servers, applications, and endpoints.
These logs contain valuable information about the activity occurring within an organization’s IT infrastructure, including user activity, system events, and network traffic.
Here are the types of log data mentioned by ManageEngine Log360
- Perimeter device logs
- Windows event logs
- Endpoint logs
- Application logs
- Proxy logs
- IoT logs
Ther is also an order of which logs to give priority over another. Order of priority mentioned by a blog post from Networks Group
:
- IDS/IPS Alert Detections (Blocked & Allowed), Access, & Configuration Changes
- Advanced Endpoint Protection logs
- Firewall Logs/Connections, Access, Health, & Configuration Changes
- Domain Controller Authentication, User Creation and Modification
- Windows Event Application, Security, Powershell, & System
- DNS Requests
- Web Proxy Access/Errors
- Remote Access/VPN Authentication & Connections
- DHCP Lease Details
- Two-Factor Authentication Access Attempts
- Switching Logs & Netflow
- SNMP Audit Where Relevant
Why these Logs matter
Threat Intelligence
The logs collected by a SIEM system provide valuable information that can be used to identify potential threats to an organization’s IT infrastructure.
By analyzing authentication logs, for example, a SIEM system can detect brute force attacks, which can be a precursor to a more significant security incident.
Firewall logs can be used to detect unauthorized access attempts and network traffic that may indicate a compromise.
Most importantly, these logs can effectively lead to Advanced Persistent Threat (APT) behaviors and overlapping of used tactics and techniques. Organizations often use the MITRE ATT&CK framework for further threat intelligence.
Intrusion/Threat Detection
The logs collected by a SIEM system are also used to detect security incidents as they occur. For example, if a SIEM system detects a sudden increase in failed login attempts from a particular IP address, it may indicate that an attacker is attempting to gain unauthorized access to the network.
By analyzing network traffic logs, a SIEM system can also detect suspicious patterns of traffic that may indicate a potential intrusion.
The traffic logs are quite important. Once, I analyzed some packets of ICIDS-2017 intrusion detection dataset. If you are interested in how to analyze packets, you can visit my Github Repo.
Different logs are also used for particular threat or procedure detection. The logs lead to certain use of techniques and tools and can reveal the behavioral match of an APT.
Threat Modeling
The logs collected by a SIEM system can be used to improve an organization’s threat modeling efforts. Threat modeling is the process of identifying potential threats to an organization’s IT infrastructure and developing countermeasures to mitigate those threats.
By analyzing the logs collected by a SIEM system, organizations can identify potential vulnerabilities and weaknesses in their IT infrastructure that may be exploited by attackers.
Threat modeling is more related to threat intelligence and often used for the same purposes. However, modeling requires further actions of behavior analysis, prediction, and pattern matching of these APTs.
Concluding Remarks
SIEMs have become an essential part of the security analysts and engineers. Logs are meant to refer potential events and anomaly within the common pattern.
Through collecting the logs, a SIEM can potentially identify and model existing and new threats. Some of the actions can be taken instantly by a SIEM tool itself, and some requires the security analysts’s attention.
By the way, currently, I am researching the MITRE ATT&CK framework, which is widely used as a recognized knowledge base of TTPs. I will update on my research soon. You can also read my other post on MITRE ATT&CK.
MITRE ATT&CK Resources for Threat Intelligence and Hunting
That’s all for today! Cheers!!! 😎
Leave a comment