Security Information and Event Management, commonly known as SIEM; is one of the main tools used in every Security Operations Center (SOC). SIEMs collect data from various sources in your network, then normalise, index and aggregate that data. This data can then be used for compliance reporting, threat detection and various other things dependent on the features of the SIEM.

Due to the popularity of SIEM within SOCs, it is essential that cyber security professionals understand what SIEMs are, how they work; and how to use them. In the post I will discuss some free, open source SIEMs you can setup and learn. Along with this, I will also show you some great resources to learn the most popular enterprise grade SIEMs out there. Enjoy the post!

ALIENVAULT OSSIM

Alienvault OSSIM (Open Source SIEM) is one of the most popular free, open source SIEMs out there. It is a great platform to learn on as it can be setup for free and contains many of the features of expensive, enterprise grade SIEMs.

There are a variety of free resources you can use to learn this. Cybrary has a 78 minute beginner level course, which shows you how to install, setup and configure OSSIM. You can then use this platform to practice SIEM. Sign up to the course here for free – https://www.cybrary.it/course/alienvault-ossim

Once you have this setup, Alienvault (Now called AT&T Security) has extensive resources to learn more about OSSIM. This includes behavioural monitoring, threat intelligence integration and other advanced topics. See the guides here – https://cybersecurity.att.com/resource-center#product_ossim_query_OSSIM

Please be aware of the following minimum system requirements when installing OSSIM on a VM, VPS etc.

• 2 CPU cores
• 4-8GB RAM
• 250GB HDD
• E1000 compatible network cards

SIEMonster

Another popular open source SIEM is SIEMonster. This has a higher minimum requirement than OSSIM, with 32GB RAM and 8 VCPU’s of power recommended. However, the features available for free make this a great choice to learn. The product is built using the following features :

SIEMonster also allows you to monitor up to 100 endpoints / 5000 EPS for free – all you have to do is host the SIEM, with requirements obviously going up as you add digest more logs. See more information about the community edition here – https://siemonster.com/community-edition/

To download the community edition, please click here – https://siemonster.com/download-community-edition/

SIEMonster provide a large number of guides for free https://siemonster.com/videos/

SPLUNK

Splunk is a software mainly used for searching, monitoring, and examining machine-generated Big Data through a web-style interface. During recent years, it has also became a popular SIEM tool for SOCs.

There is a process I believe that can be followed to learn Splunk very well free, this knowledge will also transfer well to other SIEMs.

1. Install free Splunk Trial (Lasts 60 days) – https://docs.splunk.com/Documentation/Splunk/latest/Installation/Whatsinthismanual (In most cases 2 vCPUs and 4GB of RAM will be fine, but allocate more if you can)
2. Go to https://github.com/splunk/botsv3 and scroll down to the required software. Install all of the recommended apps / addons following this guide https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall
3. Now download and install the BOTS (Boss of the SOC) v3 dataset at https://github.com/splunk/botsv3
4. You now have a Splunk install with various addons and data injested. There are a few ways you can use this setup.

I would first recommend following through the free Splunk Fundamentals 1 course using the Splunk Trial you have setup. See the free course / certification here – https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html

Once you are comfortable with Splunk, I would start working through the BOTS datasets. You already have the BOTS v3 dataset installed, you can get the BOTS v1 and v2 datasets here :

https://github.com/splunk/botsv1

https://github.com/splunk/botsv2

These datasets contain various logs including security events which are helpful for learning SIEM. If you would like the questions and answers which can be used along with these datasets (I highly recommend this) email bots@splunk.com and request the questions / answers to the 3 above datasets. You can then work through these challenges and learn how Security Analysts use SIEMs to find and identify security risks.

IBM QRadar

QRadar IBM is one of the most popular, well known enterprise grade SIEMs. Due to this, there is a lot of free information out there on how to setup and learn it.

To start off with, you can install the QRadar Community Edition here. https://developer.ibm.com/qradar/ce/

The requirements are as follows :

• Memory minimum requirements: 8 GB RAM or 10 GB w/applications
• Disk space minimum: 250 GB
• CPU: 2 cores (minimum) or 6 cores (recommended)
• One network adapter with access to the Internet is required
• A static public and private IP addresses is required for QRadar Community Edition
• The assigned hostname must be a fully qualified domain name

For help installing and setting up, follow https://www.youtube.com/watch?v=_fltNyDIkq4&list=PLHh9jhztlMyoySfUKODp-z4RYZTM6aWIx&index=2&t=0s.

Jose Bravo’s Youtube channel is the single best source of QRadar content out there. He is an IBM employee (I believe) and has a very wide range of videos on all QRadar and general SIEM topics you could think of. I highly recommend taking time to go through his channel, you will learn a lot – https://www.youtube.com/channel/UCHrkReoBj-SRWJ15YXtyIxg

Once you have the QRadar installed, you can easily get some Windows or Linux logs ingested into the platform for you to use.

Windows – https://www.youtube.com/watch?v=ZgbHcp0IUIA&t=179s

Linux – https://www.youtube.com/watch?v=Dmf2iwRqATI

On top of the Jose Bravo videos, IBM themselves also have extensive QRadar guides. They have 108 various videos, labs and challenges here – https://www.securitylearningacademy.com/local/navigator/index.php?level=sisi01.

AZURE SENTINEL

Microsoft Azure Sentinel is the fastest growing SIEM platform in the market. The cloud based SIEM ties in easily with other Microsoft products such as O365 and Azure AD, making it a very attractive proposition. Again, there are a lot of resources to learn the product made either by Microsoft or contributors.

If you need to learn Azure fundamentals first, I recommend following Microsoft’ Azure fundamentals course – https://docs.microsoft.com/en-us/learn/paths/azure-fundamentals/ Understanding Azure and how it works is important before setting up Sentinel. Once you are happy with these fundamentals, move to the next step.

Disclaimer – This is the most difficult SIEM / Lab to set up for a beginner. However, if you have the time and are willing to go through it, it is well worth it.

Next, I would follow this post from Cyb3rWard0g – https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-to-go-part1-a-lab-w-prerecorded-data-amp-a-custom/ba-p/1260191 This guide shows you how to set up an Azure Sentinel Lab and ingest pre recorded data.

Once you have this setup, I recommend looking at this very extensive post from Microsoft trainer Ofer Shezaf – https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310 This takes you from a high level overview of Azure Sentinel through to advanced topics. Take thing things you learn from this and practice on the lab you have set up.

I hope you enjoyed this post. If you have any questions about this post, or anything else on my site, please contact me at https://twitter.com/blueteamblog