Introduction
Security Information and Event Management (SIEM) is considered the cornerstone of blue teaming in cybersecurity. Below is a summary of SIEMs (with a larger focus on QRadar by IBM, as a large number of the references spoke about it) divided into various organised sub-topics. The references to the main resources are given at the end. NOTE: This blog is not sponsored, and in no way should it be considered a promotion for any product.
Why did SIEMs come into existence?
Security Information and Event Management (SIEM) systems are essential for overseeing the security landscape. Historically, networks and internet security were not given sufficient attention, with applications primarily logging activities for debugging and basic monitoring. Routers played a key role in managing data flows, overseeing packet communication by tracking details such as destination (DST), source (SRC), IP, port, and data. The necessity for SIEMs emerged from governmental compliance requirements, with their core function being the analysis of logs and flows to detect alerts, cases, or offences.
Originally, logs were in a human-readable format, prompting the development of parsers to convert them into machine-readable formats, often utilising techniques like REGEX. Nowadays, logs are commonly available in machine-readable formats such as XML, JSON, and LEEF, among others. SIEMs like IBM QRadar feature various auto-parsers, some powered by AI, to streamline the process of making the logs ingestable by the platform.
Log Collection in Windows
Most of the systems run an appropriate version of Windows. To view the basic logs and events on a Windows system, one can search for Windows Administrative Tools and go to Event Viewer. If Event Viewer is not available on a Windows Server machine, you can install it using Server Manager or Admin Centre.
Windows logs are categorised into five main types:
Application: Logs created by applications running on the system.
Security: Logs of sensitive actions such as logins and privilege escalations.
Setup: Logs related to system installations and upgrades.
System: Logs of system messages.
Forwarded: Logs from communication with other computers, usually found on server machines.
The Event Viewer application allows you to export, view detailed logs, and summarise event logs. Additionally, logs can be collected from various other applications, either pre-installed or downloadable on your Windows system. Some of these applications include:
DNS Manager: Monitors your DNS server.
Failover Cluster Manager: Manages server backups.
IIS Access: Monitors communication over network protocols like Ethernet and WiFi.
Task Scheduler: Finds tasks scheduled to run at specific times.
All these details can also be accessed using Windows PowerShell with the Get-WinEvent command. Some examples of its syntax are:
Get-WinEvent [[-LogName] <String[]>] [-MaxEvents <Int64>]
Get-WinEvent -FilterHashtable @{ Logname=' '; Id=' '; StartTime=(Get-Date).AddHours(-1)}The latter example retrieves events from the past hour. Other time filters available include AddTicks, AddMilliseconds, AddSeconds, AddMinutes, AddDays, AddMonths, and AddYears.
Functioning of a SIEM
SIEMs primarily function via rules but also leverage machine learning and behavioural analytics to analyse security events and identify potential threats. Rules are some types of logic applied to categories and properties of events, logs, or flows. Depending on the weight of the rules, the SIEM classifies the threats by severity. This often leads to the calculation of a risk score, which helps in the segregation of more important events.
Threat Intelligence and IoCs
Threat intelligence helps organisations identify potential threats by utilising Indicators of Compromise (IoCs) like URLs, IP addresses, and malware hashes. SIEMs like QRadar can store IoCs in reference sets for efficient searching and analysis using data filters. These IoCs are often shared in STIX or TAXII formats. QRadar provides pre-made sets of IoCs on its online collection database, allowing exporting and installation of the same. It also has the option to run them directly on logs and live data. For enhanced threat classification, SIEMs might integrate with frameworks like MITRE ATT&CK. This also helps in providing a view of the monitoring software rules against various stages of the framework. Additionally, QRadar provides connections to its Security Orchestration, Automation, and Response (SOAR) to automatically collect data from the SIEM and automate threat response actions post-processing of the same.
Smart Data Analysis
Typically, one must go through the tedious process of taking events, such as downloaded viruses, and uploading their hashes to VirusTotal to find crucial information like threat actors and associated IPs. While QRadar can integrate with VirusTotal, it also leverages Watson AI to automate the creation of relationship graphs. This facilitates the auto-detection of Indicators of Compromise (IoCs), highlights similar IoCs with blue lines in the graph, and identifies the threat actors and IPs responsible for malicious activities. Additionally, QRadar can use vulnerability scan reports to provide a better understanding of events.
Analyzing data without a SIEM
A popular script called PowerSIEM (https://github.com/IppSec/PowerSiem) uses a PowerShell script for basic and fast analysis of system events, enabling better detection of Indicators of Compromise (IoCs) compared to the general event viewer due to its formatting. The script relies on SYSMON (https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon), a basic software tool for monitoring Windows event logs. It is important to note that support for this tool is provided by a single author, making it less suitable as the sole SIEM solution in a professional environment.
To install PowerSIEM, you must first install SYSMON in the System32 folder (installing it there prevents a DLL hijacking attack). SYSMON must be configured using the configuration file provided by Neo23x0 (https://github.com/Neo23x0/sysmon-config) and kept with the executable. To install, use the command:
Sysmon64.exe -i <config file> -acceptEulaInteresting Note: Accepting the EULA may create a registry key, which can often be used to determine if a user has run the software before.
To run the PowerSIEM script, open PowerShell and navigate to the script location. The Write-Alert function writes data to the console. The script continuously checks if the last index of the event list has changed. If it has, it fetches the last five events and displays them after processing. SYSMON assigns different event IDs for various types of events, helping differentiate between them. You can use the command $evt | select * to find all the information available about an event. Note that not all events are logged.
Interesting Note: Alternate Data Streams (ADS) create events. ADS are used for file transfers, downloading files from the internet, copying files, etc.
When running the PsExec tool, Windows Defender blocks PsExec from a Linux system but allows it from a remote Windows system. Additionally, Linux defaults to system/admin user permissions, whereas Windows defaults to basic user permissions. This highlights some fundamental differences between how the tool operates on different operating systems.
IoC Development using PowerSIEM
If you run a Cobalt Strike Beacon from another machine to do a drive-by-download attack targeted at the machine running the PowerShell script (PowerSIEM), you will see various connection requests to the command-and-control centre.
An interesting log is generated when we run the whoami command from the command-and-control center. The Process Create log generated has a /C at the end of the ParentCommandLine attribute. When running a normal whoami command via the CMD, this does not happen.
This happens because the command-and-control centre creates a sacrificial process (a process sacrificed by injecting malicious code into it for stealth, privilege escalation, etc.) and runs GPUpdate (a non-malicious process). GPUpdate uses the sacrificial process to change the pipe (information flow) to get access to the command line. The pipe is named postex_random characters. Mimikatz (a post-exploitation software) can be used to gain information from lsass.exe (a process that manages and stores credentials, policies, etc.) and later transfer it through these pipes.
Exciting features of IBM QRadar
Below are some key features in IBM QRadar mentioned by Jose Bravo. Various other vendors such as Splunk may or may not have these features.
Cloud Adoption and Live Processing
QRadar has massive support for telemetry (clues) from various sources. It has direct support for on-premise logs and allows various log source types. As various logs now come from cloud services, QRadar has plugins allowing you to directly send your logs.
QRadar also allows you to view network flows in real time with various filters. QRadar facilitates automatic discovery by generating logs for previously unseen devices and classifying them based on various attributes, such as communication details. QRadar also enables automated normalisation and indexing. This means logs from various sources are put in the same format if they are from the same category. This ensures accurate classification and easier analysis, regardless of the alert source. Login failure being normalised in logs for both Windows and Linux is a prime example.
Distributed Architecture
QRadar operates on a distributed architecture. In this setup, an event processor collects information from various event collectors to process. After processing, the data can be stored in a dedicated storage area called the data store. These components can be deployed on different systems distributed across networks and cloud services, enabling flexible log storage and efficient processing. For network devices, flow processors can be integrated into the network to capture and store more detailed information.
Additionally, you can use a custom console (GUI-based, using Pulse) at a central location to display desired graphs and statistics. This all-in-one console can also control components distributed across the network. The GUI allows for the separation of various servers at different levels, such as servers, companies, etc.
Powerful Queries and Filters
Pulse: The GUI for QRadar also supports powerful filters for various data store attributes. If a person prefers CLI, QRadar also has a query language called AQL (Ariel Query Language), which is like SQL. QRadar also has an automated query builder in which a person can construct the AQL statement by using the GUI.
API and AI/ML
QRadar allows every piece of information to be viewed and modified via APIs. This helps in creating more user-friendly and dynamic applications.
Other than using Watson AI for relationship graphs, QRadar integrates AI and ML into its functioning. A simple example of this is the use of machine learning and user behaviour-based thresholds. This helps in successfully detecting malicious actions by taking into account human behaviour.
Conclusion
Security Information and Event Management (SIEM) systems have become essential for effective cybersecurity, providing crucial capabilities for monitoring, detecting, and responding to threats. They emerged from the need for compliance and more sophisticated security measures.
IBM QRadar stands out for its advanced features like real-time log processing, integration with threat intelligence frameworks, and use of AI and ML technologies. It supports cloud environments, offers powerful querying, and provides detailed analytics, making it highly effective in detecting and responding to security incidents.
On the other hand, tools like PowerSIEM offer basic and fast analysis of system events, especially useful for detecting Indicators of Compromise (IoCs) in Windows environments. Windows itself provides extensive logging capabilities through tools like Event Viewer and PowerShell commands, enabling detailed monitoring and analysis of system activities.
Together, these tools highlight the critical role of SIEMs and related technologies in enhancing an organisation's cybersecurity posture, ensuring compliance, and safeguarding IT infrastructure. As SIEM technologies evolve, they continue to be a cornerstone of robust cybersecurity strategies.
