Tryhackme - Introduction to SIEM

Tryhackme – Introduction to SIEM

In this walk through, we will be going through the Introduction to SIEM room from Tryhackme. In this room, we will cover What SIEM is, and how does it work. Requirement of SIEM, Network Visibility, Log sources, Log ingestion and SIEM capabilities. On that note, let’s get started.

Introduction to SIEM

Task 1 – Introduction

Question 1 – What does SIEM stand for?

Security Information and Event Management system

Task 1 - Introduction

Task 2 – Network Visibility through SIEM

Question 1 – Is Registry-related activity host-centric or network-centric?

host-centric

Question 2 – Is VPN related activity host-centric or network-centric?

network-centric

Task 2 - Network Visibility through SIEM

Task 3 – Log Sources and Log Ingestion

Question 1 – In which location within a Linux environment are HTTP logs are stored?

/var/log/httpd

Task 3 - Log Sources and Log Ingestion

Task 4 – Why SIEM

Question 1 – Read the task above.

Done

Task 4 - Why SIEM

Task 5 – Analysing Logs and Alerts

Question 1 – Which Event ID is generated when event logs are removed?

104

Question 2 – What type of alert may require tuning?

False Alarm

Task 5 - Analysing Logs and Alerts

Task 6 – Lab Work

Question 1 – Click on Start Suspicious Activity, which process caused the alert?

Start Suspicious Activity

Cryptominer

cudominer.exe

Question 2 – Find the event that caused the alert, which user was responsible for the process execution?

User responsible for the process execution

Chris.fort

Question 3 – What is the hostname of the suspect user?

Suspected hostname
HR_02

Question 4 – Examine the rule and the suspicious process; which term matched the rule that caused the alert?

Suspicious process

miner

Question 5 – What is the best option that represents the event? Choose from the following:

  • False-Positive
  • True-Positive

True Positive

True-Positive

Question 6 – Selecting the right ACTION will display the FLAG. What is the FLAG?

The flag

THM{000_SIEM_INTRO}

Task 6 - Lab Work

Task 7 – Conclusion

Task 7 - Conclusion

Also Read: Tryhackme – Intro To Digital Forensics

So that was “Introduction to SIEM” for you. In this room, we have learned about the basics of SIEM solution is, Network visibility through SIEM in the forms of log sources. Next we looked into analyzing logs and alerts in SIEM and differentiate between False and True positives or negatives. At last, we have gone through a lab exercise with a series of questions which tested our concepts that we have learned through the room. On that note, allow me to take your leave. I will meet you in the next one, till then “Keep Defending”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top