SIEM Design

SIEM Design

Calculating (EPD or Storage Requirements)

  • Average per day
  • Peak/burst Max

Devices to Monitor

Networking Devices

Security Devices

Server Operating Systems

Security Applications


Cloud Platforms


User Cases

  1. 1- Detecting new VPN connectivity from everywhere but not from china. (mostly done from the events received by the firewalls)
    2- NMAP Scan (this is from flows. by default QRadar identify around 400 applications but NMAP is not one of them)
    3- Ping Sweep
    4- XSS Attacks
    5- SQL injection
    6- If a new port has opened on the firewall for in/out traffic
    7- If FTP site has been accessed from unknown address
    8- If tunneled data is detected on the network
    9- If RAR files are being continuously uploaded in some fixed partition size format
    10-If online messengers are used to chat and transfer files
    11-If malicious traffic is seen hitting critical servers of the infra
    12-detecting bit torrent or P2P traffic
    13-if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
    14-If x number of changes have been made on a firewall over x period of time by x user
    15-If a new user/admin has been created on critical server or network device or firewall
    16-If machine’s time has changed
    17-If a remote session was taken to a critical server for more than an hour
    18-Network resources have been accessed in non working hours
    19-If on leave/ex-employee user credentials have been used in anyway
    20-If credentials are sent in clear text
    21-Any config change
    22-Agent has been tampered
    23-If an infected machine receives an SSH log in attempt
    24-What recent servers were attacked with an exploit against a recent scan of the same server
    25-OS fingerprint event has occurred by an attacker
    26-Auditing has been removed, changed or altered
    27-Access to any device from other than the admin or authorized users
    28-Similar account login from different geographical places
    29-Multiple login failures from the same username ip address to the same destination and followed by success
    30-taking sessions ssh, telnet etc on non standard port
    31-success login to disabled accounts
    32-Restart/Shutdown critical servers
    33-Hostile email attachments
    34-Attacks on internet gateways
    35-Track on each new virus detected on the environment


Generic OS

  • Privileged user login
  • Failed login by privileged user
  • Excessive failed logins for a single host
  • Excessive failed logins for a user across multiple hosts
  • Deactivated/terminated user login
  • Same user logged into multiple machines
  • High rate of configuration changes
  • High rate of errors by a single host
  • Logging service stopped
  • Critical service stopped
  • Important account lockout
  • Abnormal OS restart
  • Modification of networking configuration


Linux Specific

  • User added to ‘root’ or ‘wheel’ group
  • ‘su’ or ‘sudo’ to root account
  • Syslog stop/start/restart
  • Auditd stop/start/restart
  • Excessive failures to “SU”


Windows Specific

  • High rate of logins by service account
  • Privilege escalation by unauthorized user
  • Virus detected on Windows Server
  • Important account lockout
  • Audit log cleared
  • Malware not removed from a critical asset
  • Detecting audit policy was altered


  • Authentication: ‘logined’, ‘login failed’, ‘locked’, ‘unlocked’
    • The ‘logined’ events provide the ‘from’ IP address, which could be used to check for user credential compromise.
      • Examples: a user logged in from unexpected site(s) or geographic location, or a user logged in from multiple locations within a specified period of time.


  • The ‘login failed’ events provide the # of failed attempts, which can be useful for correlation(s)/escalation(s) to alert when a user if approaching (or has surpassed) a tolerated threshold.


  • The ‘locked’ and ‘unlocked’ events could potentially be tracked to see how long it takes a user to be unlocked (useful for improving business operations/efficiency as well as validating unlock was done by appropriate, authorized, person)


  • Modification: updated user, update configuration (tends to be group attribute updates)
    • These logs could potentially be checked against a list of permissions, to ensure that a user hasn’t received unexpected higher level privileges. Can also be reviewed based on time to ensure maintenance windows for change are adhered to.


  • Operation:

The ‘Added User’ and ‘Delete User’ events are the most interesting from this section and should be matched to active (or suspended/removed) accounts.

Log Source Protocols

  1. Syslog
  2. JDBC
  3. JDBC – SiteProtector
  4. Sophos Enterprise Console – JDBC
  5. Juniper Networks NSM
  7. SDEE
  8. SNMPv1
  9. SNMPv2
  10. SNMPv3
  11. Sourcefire Defense Center Estreamer
  12. Log File
  13. Microsoft Security Event Log
  14. Microsoft Security Event Log Custom
  15. Microsoft Exchange
  16. Microsoft DHCP
  17. Microsoft IIS
  18. EMC VMWare
  19. SMB Tail
  20. Oracle Database Listener
  21. Cisco Network Security Event Logging
  22. PCAP Syslog Combination Protocol
  23. Forwarded Protocol
  24. TLS Syslog Protocol
  25. Juniper Security Binary Log Collector Protocol
  26. UDP Multiline Syslog Protocol
  27. IBM Tivoli Endpoint Manager SOAP Protocol, REST API





Vuforia Beginner Tutorial

Vuforia Beginner Tutorial


This is a very basic tutorial to get the Vuforia AR samples running on your iPhone..


  • Latest edition iPhone
  • Apple MacBook or Mac with latest High Sierra
  • Xcode installed


  1. Update your Apple Mac and iPhone
  2. Download and install Xcode from App Store on your MacBook Pro
  3. Create account on
  4. Download the iOS SDK –
  5. Download the Samples –
  6. Extract the SDK files
  7. Extract the Samples files
  8. Select and Copy VoforiaSample into Voforia-SDK-ios…\samples folder
  9. Connect your iPhone into your MacBook pro via USB
  10. Open the VuforiaSamples.xcodeproj file in XCode
  11. Follow instructions here –
  12. Setup Project to run on iPhone Device
  13. Change the General | Identify |Bundle Identifier –
  14. Change Singing to your Apple Developer account
  15. Log in to your Vuforia account and create a license key Search and find the following string: Vuforia::setInitParameters(mVuforiaInitFlags as per
  16. Build and Run the App
  17. On the iPhone – General | Device Management and then approve the App

Microsoft Security Technologies

Microsoft Security Technologies


ISM Info

ISM Info


Security Maturity Model Questionnaire

Security Maturity Model Questionnaire


Underprepared • Implement security processes with formal guidelines across all departments • Automate cybersecurity processes wherever possible • Conduct periodic reviews to fine tune security operations In Transition • Assess suppliers and contractors to ensure they fulfil information security assurances • Align business needs with security requirements to avoid competing objectives and ensure the entire organisation pursues the same goal • Implement incident response and management procedures that enable users to take immediate action Security Leaders • Automate as many cybersecurity processes as possible • Integrate threat intelligence into automated processes to help tools find threats that slipped through network defences • Align business and security needs to achieve cloud adoption and other digital transformation business objectives


Organisation Culture

  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it
  3. A CISO exists and sets security strategy for the organisation
  4. Information security is implemented throughout customer facing, operations, and support functions
  5. Suppliers and subcontractors are assessed to ensure they fulfil security assurances

Technology and Controls

  1. Standard network security tools are used (main objective = preventing network breaches)
  2. Standard network security tools are used to gain visibility of which data assets are being secured (main objective = detecting threats)
  3. Security processes are semi-automated to defend against threats; Static “normal” network behaviour and context are created to understand the status of risk profiles at a single point in time
  4. Advanced tools are used to anticipate and prepare for unknown threats
  5. The majority of security processes are automated; Leveraging threat intelligence is a business objective; Adaptive network behaviour and context are created to understand the real-time status of risk profiles

Security Operations

  1. Security practices are implemented without formal guidelines
  2. Security practices are embedded in formal guidelines to be used by IT and information security teams Guidelines and security processes are established in all IT, customer facing, operations, and support functions; Incident response procedures are defined
  3. Periodic reviews are conducted to fine-tune security operations, and incident response procedures are implemented
  4. Continuous tests of security operations are conducted, including automated incident response and management with technical, customer facing functions, operations, and support staff


  1. No dedicated security role with responsibilities either in the IT or other risk/compliance departments
  2. Information security is addressed within the organisation with at least employee responsible for it IT and information security teams are aware of AND carry out security practices as defined by formal guidelines; Training is received to ensure both teams are kept up to date
  3. Technical, customer facing functions, operations, and support staff receive training and education to keep up to date on information security risks
  4. Technical, customer facing functions, operations, and support staff regularly participate in incident response activities


Cloud Adoption

  1. No organisation-wide cloud strategy
  2. Cloud infrastructure is fully automated Cloud strategy set by IT and business units (but without security inputs) to re-set business processes to achieve desired outcomes
  3. Cloud strategy set by IT, business units and security Have optimised internal processes as a result of cloud and automated controls are enabled to allow for distributed clouds






ReactNative vs. Apache Cordova

ReactNative vs. Apache Cordova

Many of you may already be familiar with Apache Cordova as an open-source project that enables web developers to build mobile apps with full access to native APIs and offline support. In a Cordova app, the entire UI executes inside a full-screen WebView where you can leverage the same HTML, CSS and JS frameworks found on the web. But, since the UI is rendered in the WebView, it can be difficult if not impossible to achieve a truly native look and feel.

ReactNative apps are also written with JavaScript – or, more specifically, they are written with the React/JSX framework. But, rather than run in a Webview like Cordova, code runs in a JavaScript engine that’s bundled with the app. ReactNative then invokes native UI components (e.g. UITabBar on iOS and Drawer on Android) via JavaScript. This means that you can create native experiences that aren’t possible with Cordova.

That said, Apache Cordova is presently a more mature and stable technology that lets you write a common UI layer using web technologies, whereas ReactNative is much newer and still requires you to write distinct UI layers. If your app requires native UI and you enjoy the excitement of a rapidly evolving JavaScript platform, then ReactNative might be an option to consider.