SIEM and Security Monitoring

Colonial Pipeline, May 2021: DarkSide ransomware shut down 5,600 miles of pipeline supplying 45% of the US East Coast's fuel. The initial access vector: a single VPN account without MFA, compromised via a credential leak. The account had been used from an unusual IP. A SIEM rule correlating 'VPN login from new IP + new country + first use in 30 days' would have flagged the login immediately. The $4.4M ransom payment was avoidable.

• **Colonial Pipeline 2021**: $4.4M ransom paid after DarkSide ransomware. Initial access via a single VPN account without MFA - no SIEM rule detected the unusual login from a new geographic location.
• **SolarWinds 2020**: CISA issued Emergency Directive 21-01 requiring all federal agencies to implement CloudTrail log monitoring and SIEM alerting for specific API patterns. 18,000 organizations had no detection for the SUNBURST backdoor's C2 beaconing over HTTPS.
• **Twitter hack 2020**: 130 accounts including Obama, Biden, and Musk hijacked via social engineering of Twitter employees. Post-incident: Twitter implemented SIEM rules specifically for internal tool access by support staff with velocity and volume thresholds.

SIEM: Security Information and Event Management

A SIEM (Security Information and Event Management) system aggregates logs from across the infrastructure into a centralized platform, normalizes them into a common schema, and enables correlation rules and alerting. Modern SIEMs process billions of events daily. Core platforms: Splunk, Elastic SIEM (formerly ELK), Microsoft Sentinel, and Google Chronicle.

Colonial Pipeline 2021: the ransomware group DarkSide gained initial access via a compromised VPN account without MFA. The $4.4M ransom and 5,600-mile pipeline shutdown resulted from an attacker who bypassed the perimeter entirely. Post-incident analysis found the compromised account had been active for weeks - events that a correctly tuned SIEM rule would have flagged.

Log Analysis: Windows Event IDs and Linux Auditd

Effective log analysis requires knowing which events are security-relevant. Windows Security Event Log contains hundreds of Event IDs; a focused subset covers 90% of threat detection use cases. Linux auditd provides syscall-level auditing for file access, process execution, and network connections.

Mimikatz, the most commonly used credential dumping tool, is detected via EventID 10 (process access) in Sysmon logs: it reads the LSASS process memory to extract hashed credentials. Without Sysmon or an EDR agent, this activity is invisible to the default Windows event log. Enabling Sysmon with the SwiftOnSecurity configuration covers 95% of known Mimikatz detection opportunities.

Correlation Rules: From Events to Incidents

A single event rarely indicates an attack. Correlation rules combine multiple events within a time window to detect patterns that individually look benign. The classic example: 5 failed logins (4625) followed by a successful login (4624) from the same IP within 5 minutes = brute force with success.

Beacon detection is particularly valuable for identifying C2 traffic. Attackers configure beaconing intervals with jitter (randomness) to evade fixed-interval detection. Statistical analysis of inter-request timing reveals low-jitter beaconing even when individual intervals vary. Tools like RITA (Real Intelligence Threat Analytics) automate beacon detection against network flow data.

Alert Engineering: Signal vs Noise

A SIEM without alert tuning is an expensive log store. Alert fatigue - when analysts receive too many alerts to investigate meaningfully - leads to critical alerts being missed. The goal is a high signal-to-noise ratio: every alert should be actionable, include sufficient context for triage, and route to the correct analyst.

Verizon DBIR 2023: 74% of breaches involved a human element. Alert fatigue contributes to human failure - analysts who receive 1,000 alerts per shift cannot meaningfully investigate all of them. Google's SRE principle applies to security: toil (repetitive manual work) destroys team effectiveness. Alert tuning is not optional - it is a core operational requirement.

Summary

• **SIEM** aggregates and normalizes logs from endpoints, network, cloud, and applications. Normalization enables cross-source correlation. Large enterprises ingest 100GB-10TB of logs per day.
• **Critical EventIDs**: 4624/4625 (logon success/fail), 4648 (explicit credentials, lateral movement indicator), 4688 (process creation). Sysmon EventID 10 detects LSASS access (Mimikatz).
• **Correlation rules** combine multiple events over time windows to identify attack patterns. Brute force: 5+ failures then success from same IP. Beacon: periodic outbound requests with low jitter.
• **Alert quality**: every alert must be actionable, include user/IP/asset context, have a severity level, and link to a runbook. False positive rate > 5% requires immediate tuning.

Related Topics

SIEM is the detection backbone that connects offensive simulation to defensive response:

• Red Team vs Blue Team — Purple team exercises test and improve SIEM detection rules against real attack techniques. Red team reports directly identify SIEM detection gaps.
• Incident Response — SIEM alerts trigger the incident response process. MTTD depends entirely on SIEM detection rule quality.
• AWS/GCP/Azure Security — CloudTrail, GCP Cloud Audit Logs, and Azure Activity Log feed cloud events into the SIEM. Cloud-native SIEM (Microsoft Sentinel, Chronicle) process these natively.

Вопросы для размышления

• A correlation rule fires 200 times per day, but only 2 are real incidents. What steps would you take to reduce the false positive rate without missing real attacks?
• Why is DNS query logging particularly valuable for detecting C2 traffic compared to HTTP request logging?
• Colonial Pipeline's VPN compromise went undetected. What three SIEM rules would you write to detect similar credential abuse in a VPN environment?

Связанные уроки

• sec-31
• sec-34
• sec-35
• os-22-debugging