We have collected, processed and stored logs up to this point. Now, we need to detect abnormal behavior using the data we have and generate alerts.
Timely occurrence of alerts varies depending on our search speed. For a log created today, we want to create a warning immediately instead of generating a warning after 2 days. Therefore, as we mentioned in our previous article, a suitable storage environment should be created.
The alarms we will create for SIEM will usually be suspicious and need to be investigated. This means that the alarm must be optimized and not triggered in large numbers (except in exceptional cases).
Here are some ways to create an alert:
By searching stored data
Creating alarms while taking logs
Example alarms that can be created:
New user added to global administrator
15 Login failed in 3 minutes with the same IP address
In order to create a quality alarm, you must understand the data you have. Some of the techniques for making better log searches are blacklisting, whitelisting and long tail analysis.
It is easy to manage and implement, but very easy to bypass. For example, if the name mimikatz2.exe is used instead of mimikatz.exe, no alarm will occur.
This method is highly effective but difficult to manage. The list needs to be constantly updated.
This method assumes that the behaviors that occur constantly are normal. In other words, if an "Event ID 4624 An account was successfully logged on" log is constantly occurring on a device, with this method we should take it as normal and approach the least occurring logs with suspicion.
Good post about long tail analysis: https://threatpost.com/long-tail-analysis-hope-cybercrime-battle/155992/
You can catch suspicious situations and create alerts using these 3 methods.