Scribd
Upload
377 views25 pages

A Siem Solution Implementatio N: Splunk Enterprise

A SIEM solution implementation using Splunk Enterprise is presented. Splunk is used to centrally collect security logs and events from various systems like Linux, Windows, and Kali machines. Universal forwarders are installed on clients to forward logs to the Splunk server. Dashboards and alerts are configured for log analysis and monitoring failures, unauthorized access attempts, and brute force attacks in real-time. The presentation concludes that SIEM provides real-time event collection, correlation, and analysis to improve security incident response.

Uploaded by

KaisSlimeni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
377 views25 pages

A Siem Solution Implementatio N: Splunk Enterprise

A SIEM solution implementation using Splunk Enterprise is presented. Splunk is used to centrally collect security logs and events from various systems like Linux, Windows, and Kali machines. Universal forwarders are installed on clients to forward logs to the Splunk server. Dashboards and alerts are configured for log analysis and monitoring failures, unauthorized access attempts, and brute force attacks in real-time. The presentation concludes that SIEM provides real-time event collection, correlation, and analysis to improve security incident response.

Uploaded by

KaisSlimeni
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 25

A SIEM

solution
implementatio
n
Splunk Enterprise

Kais Slimeni
Maher Hannachi
PLAN

SIEM
Introduction
Presentation

Splunk Splunk
Enterprise Conception &
Security Implementati
definition on

Splunk
Universal Splunk Server
Forwarders Installation
Installation

Alerts & Real


Dashboard &
time
Log Analysis
simulation

Conclusion
Introduction

 Most mid to large sized companies use


Security Information and Event Management
(SIEM)
 Centralized data collection
 Analysis of security relevant information
 Detect advanced threats
 Improve reaction time in case of an incident
SIEM (Security
Information and
Event Management )

• real-time event collection


• Event Log monitoring
• Event Log correlation
• Event Log analysis
Splunk Process
Splunk Conception & Implementation
Splunk Server

/var/syslog Application log


Kali Windows 10
/var/auth.log Security log
/var/boot.log System log

Kali-hacking-20
192.168.205.150 Client 3
a ck
Client 1 t t
A
e
o rc
F
e
rut Linux
B

/var/syslog
/var/auth.log
/var/boot.log

Hacker
Client 2
Splunk Universal Forwarders Installation 1/3

• Client 1 : Ubuntu machine


Splunk Universal Forwarders Installation 2/3

Client 2: Kali machine


Splunk Universal Forwarders Installation 3/3
Client 3: Windows machine
Splunk Server Installation 1/5
Splunk Server Installation 2/5
Configuration of the Splunk server
Splunk Server Installation 3/5
Deployment server and forwarder management

Windows Linux Tunisia Germany


Splunk Server Installation 4/5
Apps installation

Pre-built dashboards

Reports

Alerts and workflows


Splunk Server Installation 5/5

Inputs.conf

• Index: where you want to


index the logs ( Linux,
windows,)
• source type of the log
(Linux_secure, windows
security, Applications …)
• Source of the log (auth.log,
boot.log, syslog)
• Enable / Disable an attribute
Dashboard & Log
Analysis

Dashboards are views that are made


up of panels. The panels can contain
modules such as search boxes, fields,
charts, tables, and lists. 
Dashboard panels are usually
connected to reports.

• An alert is a type of saved search. Alerts run in real time or on a
scheduled interval and are triggered when they return results that

Alerts
meet user-defined conditions. When an alert is triggered, it can
initialize one or more alert actions.

• We create an alert with Splunk search language for monitoring any


failed password for all accounts or any attempts greater than or
equal to 4 attempts to gain unauthorized access on Linux machines
• Sender email:
kais.maher.splunk@gmail.com
• Link to the alert
• CSV file
• PDF file
• Table
.txt
s
ord
ssw
= pa
db
ss
a
Brute Force t p
x
rs.t
use

Attack rg s use
rdb=

t- a
c rip
- -s
3 1
5 . 1
8 .20
6
9 2.1
2 1
- p2
e
rut
s s h-b
ip t
r
- -sc
ap
nm
• SIEM (Security Information and Event Management) is
defined as the real-time collection, monitoring, correlation
and analysis of events from disparate sources. Today's SIEM
solutions enable your business to respond quickly and
accurately to any threat or data breach.

• A SIEM solution provides management, integration,


correlation and analysis in one place, making it easy to
monitor and troubleshoot your IT infrastructure in real time.

Conclusion
Thank You For Your Attention

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy