In this walk through, we will be going through the Introduction to SIEM room from Tryhackme. In this room, we will cover What SIEM is, and how does it work. Requirement of SIEM, Network Visibility, Log sources, Log ingestion and SIEM capabilities. On that note, let’s get started.
Task 1 – Introduction
Question 1 – What does SIEM stand for?
Security Information and Event Management system
Task 2 – Network Visibility through SIEM
Question 1 – Is Registry-related activity host-centric or network-centric?
host-centric
Question 2 – Is VPN related activity host-centric or network-centric?
network-centric
Task 3 – Log Sources and Log Ingestion
Question 1 – In which location within a Linux environment are HTTP logs are stored?
/var/log/httpd
Task 4 – Why SIEM
Question 1 – Read the task above.
Done
Task 5 – Analysing Logs and Alerts
Question 1 – Which Event ID is generated when event logs are removed?
104
Question 2 – What type of alert may require tuning?
False Alarm
Task 6 – Lab Work
Question 1 – Click on Start Suspicious Activity, which process caused the alert?
cudominer.exe
Question 2 – Find the event that caused the alert, which user was responsible for the process execution?
Chris.fort
Question 3 – What is the hostname of the suspect user?
HR_02
Question 4 – Examine the rule and the suspicious process; which term matched the rule that caused the alert?
miner
Question 5 – What is the best option that represents the event? Choose from the following:
- False-Positive
- True-Positive
True-Positive
Question 6 – Selecting the right ACTION will display the FLAG. What is the FLAG?
THM{000_SIEM_INTRO}
Task 7 – Conclusion
Also Read: Tryhackme – Intro To Digital Forensics
So that was “Introduction to SIEM” for you. In this room, we have learned about the basics of SIEM solution is, Network visibility through SIEM in the forms of log sources. Next we looked into analyzing logs and alerts in SIEM and differentiate between False and True positives or negatives. At last, we have gone through a lab exercise with a series of questions which tested our concepts that we have learned through the room. On that note, allow me to take your leave. I will meet you in the next one, till then “Keep Defending”.