SIEM Implementation and Log Analysis Lab
Overview
This lab focuses on setting up and configuring a Security Information and Event Management (SIEM) system to monitor, detect, and analyze security events. The project demonstrates my ability to implement log ingestion, correlate events, and derive actionable insights from raw data.
Objectives
- Deploy and configure a SIEM platform for log management.
- Simulate security events and analyze logs for potential threats.
- Create custom dashboards and detection rules to optimize threat monitoring.
Lab Environment
- Virtualization: Lab built using VMware or VirtualBox.
- Operating Systems: Ubuntu Server for ELK Stack and Windows 10 for event simulation.
- Network: Simulated local network with multiple endpoints.
Tools Used
- Splunk: For log ingestion, analysis, and dashboard creation.
- ELK Stack: Elasticsearch, Logstash, and Kibana for log management and visualization.
- Sysmon: To generate and capture detailed Windows logs.
- Wireshark: For packet capture and traffic analysis.
Key Steps
1. Setting Up the SIEM Environment
- Deployed ELK Stack on an Ubuntu Server.
- Configured Logstash to ingest logs from multiple endpoints.
- Integrated Sysmon on Windows machines to capture detailed system activity logs.
2. Ingesting and Analyzing Logs
- Collected logs from endpoints and network devices using Filebeat and Winlogbeat.
- Parsed log data with Logstash to normalize and structure for analysis.
- Visualized data in Kibana with custom-built dashboards.
3. Simulating Threat Scenarios
- Conducted simulated attacks such as brute force attempts and lateral movement using penetration testing tools.
- Captured event logs for analysis and detection rule creation.
4. Creating Detection Rules
- Wrote custom rules in Splunk to identify anomalous behaviors such as failed login attempts, privilege escalation, and unusual network traffic.
- Monitored dashboards to detect and respond to events in real time.
Results and Insights
- Successfully implemented a functional SIEM platform capable of ingesting logs from multiple sources.
- Identified and visualized security events with customized dashboards and alerts.
- Improved threat detection by creating targeted rules for specific attack scenarios.
Skills Demonstrated
- SIEM Implementation and Configuration
- Log Parsing and Analysis
- Threat Detection and Rule Writing
- Dashboard and Alert Creation