Interview coming up, SIEM log question

mataimatai Member Posts: 232 ■■■□□□□□□□
Hey all,

I'm going in for a face to face interview soon and the HR person said that some days I could spend 75% of the day looking through AlienVault logs. This is not something I have much experience with, anybody have some tips on how I could quickly ramp up my log reviewing knowledge/skills?

Thanks!
Current: CISM, CISA, CISSP, SSCP, GCIH, GCWN, C|EH, VCP5-DCV, VCP5-DT, CCNA Sec, CCNA R&S, CCENT, NPP, CASP, CSA+, Security+, Linux+, Network+, Project+, A+, ITIL v3 F, MCSA Server 2012 (70-410, 70-411, 74-409), 98-349, 98-361, 1D0-610, 1D0-541, 1D0-520
In Progress: ​Not sure...

Comments

  • ChitownjediChitownjedi Member Posts: 578 ■■■■■□□□□□
    Understand that logs get turned into events by a priority based system, usually risk based, however this could be overridden by a Global log processing rule based on if you want to change how the log is handled when being indexed.

    Usually some Pull mechanic is used for pulling logs into a centralized data collector which forwards logs to a data processor where meta data and field translations happen. When there isn't an MPE or parsing rule available you may have to build a customer one, which usually requires some significant regex type of experience.

    Sometimes an agent goes on host to package and compress logs from complex log types that aren't natively handled via Alienvault or whatever your SIEM platform can do.

    Using some Alarm Rule based engine to create correlated events is needed (Someone logs into a machine, creates elevated account, removes audit logs,) could be one rule, where all those steps have to take place in that order before it triggers the alarm. Also, timers can be set in between events happening to make sure the time frame is within an hour bases, versus indefinitely.

    Tuning out False Positives is a must. Being able to create reports based off events that shows compliance or regulatory adherence is a help. You don't want to be looking at logs if you can help it, you want to be looking at alarms or alerts that are triggered from logs, that have been tuned either via threshold or very risky behavior. This will lead you to viewing the events that triggered them and being able to infer if its a legit problem or an operational misconfiguration or anomaly
  • dmoore44dmoore44 Member Posts: 646
    For a more practical answer... Download and install Splunk or GrayLog and start sending logs to it. This will work best if you have multiple machines you can export logs from. You could also see if your modem/router supports syslog.

    From there, you just need to start logging things. Check out this page on configuring logging settings for Server 2008/Vista/7: https://blogs.technet.microsoft.com/askds/2008/08/12/event-logging-policy-settings-in-windows-server-2008-and-vista/
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    It siems you will have better knowledge by going through logs. ;)

    ...sorry. I just could not avoid it.

    Good Luck !!!
  • LaSeenoLaSeeno Member Posts: 64 ■■■□□□□□□□
    Download and install AlienVault OSSIM. And watch the demos.
Sign In or Register to comment.