Building Own SIEM Environment using Opensource Tools (Part 3)

 

Building Own SIEM Environment using Opensource Tools (Part 3)

In last  2 parts of  Building Own SIEM Environment using Opensource Tools, we recovered following topics,

• What is SIEM
• What is SOC
• Why we need SIEM
• SIEM Types
• SIEM platforms
• Advantages and Disadvantages of SIEM platforms
• Difference between  OPEN Source SIEM

Now we are going to build our own First SIEM Environment. Following open source tools, we used to create own SIEM

• WAZUH
• Elastic Slack 
• Logstash
• Kibana
• filebeat
• Suricata

First we discus above  open tools one by one for understanding these tools.

 

Wazuh

Wazuh is a open source enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response and compliance of standard. Wazuh is utilized by hundreds of companies worldwide, ranging from small to large organizations. The main concept of Wazuh is a security data collection, aggregation, indexing, and analysis tool. That helps to organizations  in detecting intrusions, threats, suspicious activity and  behavior. Wazuh also show you vulnerabilities of your systems and endpoints. Wazuh has multiple built in reporting and dashboard, which helps to organization for continually monitoring the  entire assets and network.

We discus feature of Wazuh in detail, when we going to install Wazuh.

 

Elastic Slack

 Elastic Slack is a open search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured.  Elastic engine built on Apache Lucene. Elasticsearch can be used for   "classical" full text search, analytics store, auto completer, spell checker, alerting engine, and as a general purpose document store. Because Elasticsearch is built on top of Lucene, its excels to Elasticsearch  near real-time search platform, meaning the latency from the time a document is indexed until it becomes searchable is very short time.

Logstash

Logstash is a light-weight, open-source, server-side data processing pipeline that allows you to collect data from a variety of sources, transform it on the fly, and send it to your desired destination.  We used  Logstash as data pipeline between Wazuh and Elasticsearch.

Filebeat

Filebeat is a lightweight shipper for forwarding and centralizing log data.  We Installed it as an agent on Wazuh servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to Logstash and Elasticsearch for indexing.

 

Kibana

Kibana is a data visualization and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence use cases. We Installed Kibana on Elasticsearch server and Its give  us  histograms, line graphs, pie charts, heat maps, and built-in geospatial support.

Suricata

Suricata is an open-source detection engine that can act as an intrusion detection system (IDS) and an intrusion prevention system (IPS).  We installed and intergrade it with Wazuh server. Suricata was developed by the Open Information Security Foundation (OSIF) and is a free tool used by small and large organization.

 I focus on only definitions of all tools, which we used to build own SIEM environment. When we implement above tools , we discuss in depth features and function of each tool. 

Following picture show you the whole interface of our SIEM ,

In  part 4, we discus system requirement, OS requirement for Wazuh  server and install Wazuh server and also install Wazuh agent on 3 different machine like windows,  Linux and MAC. 

I need your comment on installation methods. We are  going installation  through documentation or I also include videos of installation for  your understanding.

for  you miss part 1, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-using-opensource-tools.html

for  you miss part 2, click on following link,

https://cybersecurity-why-for-me.blogspot.com/2022/10/building-own-siem-environment-using.html