Open in app

Sign in

Write

Sign in

SIEM Korelasyon Özelliği ve Performans

Ertugrul Akbas
2 min readDec 1, 2021

SIEM çözümlerinde sıkça karşılaşılan problemlerden biri demoda çalışan veya başlarda çalışan kuralların sonradan çalışmamaya, veya geç çalışmaya başlamasıdır. Bu konuda bir ölçü koymak ve ihtiyaç duyanların karşılaştırma yapabilmesini sağlayacak referans verileri oluşturmak için aşağıdaki bilgileri paylaşıyorum.

Ortalama 1000 EPS, Maksimum 3000 EPS log akışı olan bir sistemde, aşağıdaki gibi 100 tane kuralı gerçek zamanlı olarak 12 core, 24 GB RAM ile tek bir makinada çalıştırabilmeniz gerekir. Tatbiki korelasyon çalışırken log toplama, raporlama ve arama gibi diğer SIEM fonksiyonları da başarı ile çalışmaya devam etmelidir.

  • Too Many Different Destination Traffic
  • Too many DNS Queries
  • Too many failed login attempts
  • Too many users, server is full
  • 1 dakikada 10'dan fazla hatalı giriş
  • 10 dakika içerisinde 10 defa başarısız giriş denemesinden sonra başarılı oturum tespiti
  • Brute Force Attack Detected
  • Brute Force FTP Attack Detected
  • Brute Force Hosts Detected by Threat Intelligence Source
  • Brute Force MsSQL Attack Detected
  • Brute Force Oracle DB Attack Detected
  • Brute Force RDP Attack Detected
  • Brute Force VPN Attack Detected
  • Security Enable Global Group was changed
  • Security Enable Universal Group was changed
  • Security Enable Local Group was changed
  • User Created by Non Admin
  • Port Scan WAN
  • Dangerous Traffic Sent
  • Dangerous Traffic Received
  • Firewall Logon with Unknown Accounts
  • L2 MITM Detect Fake DHCP Sources
  • RDP Trace Same Source to Different Destinations
  • Firewall Configuration Added
  • Password Reset Attempted
  • Create user account and after user account has changed
  • Create user account and after logon failure
  • Zerologon Vulnerability (CVE-2020–1472)
  • A user account was unlocked
  • A user account was enabled
  • Login attempt with disabled account
  • A member added and join admin group
  • Remote DHCP Scanner
  • All Brute Force
  • Malicious Web Attack
  • Malicious Web Injection
  • Malicious Web SQL
  • UserDisable
  • PsExec Service Start
  • Detected By Threat Intelligence Feeds -Not Blocked By Firewall
  • User account deleted in short time after creation
  • A user account was locked out
  • VPN Login Inside
Siem
Korelasyon
Performans

--

--

Ertugrul Akbas

Written by Ertugrul Akbas

454 Followers

Entrepreneur,Security Analyst,Research.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams