Cyb3rSn0rlax
Social MediaGitHub
  • About Cyb3rSn0rlax
  • 🛡️ SOC Engineering
  • 🧞Building an Open SIEM From Scratch
    • 1. Introduction to Elastic Stack
      • a. Installing and configuring Elasticsearch
      • b. Installing and configuring Kibana
      • c. Installing and configuring Logstash
    • 2. Installing OpenDistro for Elasticsearch Plugins
    • 3. Installing ElastAlert
    • 4. ELK Stack: "L" is for Lord of the Stack
      • a- Event Parsing: Pipelines
      • b - Event Parsing : From Beats to Logstash
      • c- Event Normalization with ECS
    • 5. Alerting in ELK
    • 6. Building Detection Rules
    • 7. Metrics Reports & Dashboards
  • 🛡️A Primer to Detection Engineering Dimensions in a SOC Universe
    • Operationalization
    • Execution
    • Analytics
  • 😺GitHub Projects
    • ELK4QRadar
    • Automating ELK Health Check
  • 💾DFIR
    • DFIR-01 : $MFT
    • DFIR-02 : Journal Forensics
    • DFIR-03: RDP Authentication Artifacts
  • ☢️ DEATH : Detection Engineering And Threat Hunting
    • 🔑TA0006 : Credential Access
      • Detecting Remote Credentials Dumping via comsvcs.dll
    • 🦘TA0008 : Lateral Movement
      • Detecting Lateral Movement via Service Configuration Manager
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
  • 🔎Misc
    • Infosec Game-Sense
Powered by GitBook
On this page

Building an Open SIEM From Scratch

I have used Elastic Stack few times whether in a Threat Hunting Lab or Detection & Behavior analysis contexts. This series of blogs is about sharing what I learned in the process.

Introduction

Building a SIEM based on open-sourced solutions can be particularly challenging but also much more fun. In this article series I will try to share how can we overcome some of the basic challenges that we may face during building such toolsets like:

  • Data normalization.

  • Event collection and processing.

  • Alerting : Time-based vs Event-Centric correlation

  • Visualizations and Dashboarding

  • SIEM metrics and reporting

I will be using the following tools:

  • Elastic Stack: Elasticsearch, Kibana, Logstash, and Beats for collecting, processing, storing, and searching data.

  • OpenDistro for Elasticsearch plugins for Alerting and Security.

  • ElastAlert for additional alerting features

PreviousAbout Cyb3rSn0rlaxNext1. Introduction to Elastic Stack

Last updated 4 years ago

🧞