SIEM Design

SIEM Design


Calculating (EPD or Storage Requirements)

  • Average per day
  • Peak/burst Max
  • 500bytes per event (raw, uncompressed)


Use Cases / Log Sources


SIEM Architecture

  • Dashboard
  • Alerting and Tickets
  • Log Database
  • Correlation
  • Threat Feed
  • Machine Learning


SIEM Platform


Threat Intelligence

Devices to Monitor

Networking Devices

Security Devices

Server Operating Systems

Security Applications


Cloud Platforms


User Cases

  1. 1- Detecting new VPN connectivity from everywhere but not from china. (mostly done from the events received by the firewalls)
    2- NMAP Scan (this is from flows. by default QRadar identify around 400 applications but NMAP is not one of them)
    3- Ping Sweep
    4- XSS Attacks
    5- SQL injection
    6- If a new port has opened on the firewall for in/out traffic
    7- If FTP site has been accessed from unknown address
    8- If tunneled data is detected on the network
    9- If RAR files are being continuously uploaded in some fixed partition size format
    10-If online messengers are used to chat and transfer files
    11-If malicious traffic is seen hitting critical servers of the infra
    12-detecting bit torrent or P2P traffic
    13-if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
    14-If x number of changes have been made on a firewall over x period of time by x user
    15-If a new user/admin has been created on critical server or network device or firewall
    16-If machine’s time has changed
    17-If a remote session was taken to a critical server for more than an hour
    18-Network resources have been accessed in non working hours
    19-If on leave/ex-employee user credentials have been used in anyway
    20-If credentials are sent in clear text
    21-Any config change
    22-Agent has been tampered
    23-If an infected machine receives an SSH log in attempt
    24-What recent servers were attacked with an exploit against a recent scan of the same server
    25-OS fingerprint event has occurred by an attacker
    26-Auditing has been removed, changed or altered
    27-Access to any device from other than the admin or authorized users
    28-Similar account login from different geographical places
    29-Multiple login failures from the same username ip address to the same destination and followed by success
    30-taking sessions ssh, telnet etc on non standard port
    31-success login to disabled accounts
    32-Restart/Shutdown critical servers
    33-Hostile email attachments
    34-Attacks on internet gateways
    35-Track on each new virus detected on the environment


Generic OS

  • Privileged user login
  • Failed login by privileged user
  • Excessive failed logins for a single host
  • Excessive failed logins for a user across multiple hosts
  • Deactivated/terminated user login
  • Same user logged into multiple machines
  • High rate of configuration changes
  • High rate of errors by a single host
  • Logging service stopped
  • Critical service stopped
  • Important account lockout
  • Abnormal OS restart
  • Modification of networking configuration


Linux Specific

  • User added to ‘root’ or ‘wheel’ group
  • ‘su’ or ‘sudo’ to root account
  • Syslog stop/start/restart
  • Auditd stop/start/restart
  • Excessive failures to “SU”


Windows Specific

  • High rate of logins by service account
  • Privilege escalation by unauthorized user
  • Virus detected on Windows Server
  • Important account lockout
  • Audit log cleared
  • Malware not removed from a critical asset
  • Detecting audit policy was altered


  • Authentication: ‘logined’, ‘login failed’, ‘locked’, ‘unlocked’
    • The ‘logined’ events provide the ‘from’ IP address, which could be used to check for user credential compromise.
      • Examples: a user logged in from unexpected site(s) or geographic location, or a user logged in from multiple locations within a specified period of time.


  • The ‘login failed’ events provide the # of failed attempts, which can be useful for correlation(s)/escalation(s) to alert when a user if approaching (or has surpassed) a tolerated threshold.


  • The ‘locked’ and ‘unlocked’ events could potentially be tracked to see how long it takes a user to be unlocked (useful for improving business operations/efficiency as well as validating unlock was done by appropriate, authorized, person)


  • Modification: updated user, update configuration (tends to be group attribute updates)
    • These logs could potentially be checked against a list of permissions, to ensure that a user hasn’t received unexpected higher level privileges. Can also be reviewed based on time to ensure maintenance windows for change are adhered to.


  • Operation:

The ‘Added User’ and ‘Delete User’ events are the most interesting from this section and should be matched to active (or suspended/removed) accounts.

Log Source Protocols

  1. Syslog
  2. JDBC
  3. JDBC – SiteProtector
  4. Sophos Enterprise Console – JDBC
  5. Juniper Networks NSM
  7. SDEE
  8. SNMPv1
  9. SNMPv2
  10. SNMPv3
  11. Sourcefire Defense Center Estreamer
  12. Log File
  13. Microsoft Security Event Log
  14. Microsoft Security Event Log Custom
  15. Microsoft Exchange
  16. Microsoft DHCP
  17. Microsoft IIS
  18. EMC VMWare
  19. SMB Tail
  20. Oracle Database Listener
  21. Cisco Network Security Event Logging
  22. PCAP Syslog Combination Protocol
  23. Forwarded Protocol
  24. TLS Syslog Protocol
  25. Juniper Security Binary Log Collector Protocol
  26. UDP Multiline Syslog Protocol
  27. IBM Tivoli Endpoint Manager SOAP Protocol, REST API




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s