6d ago

SIEM

I am studying for my Network+ and my Sec+ hoping to shadow our Cyber Sec guy at work.

I want to set up a SIEM on my home network so I can be used to it's operations and how it works by the time I start messing with Pentesting stuff. Then I'm going to use it to try and track myself when I pentest myself.

I was looking into Graylog or Security Onion since they seem to have decent documentation (and I can find videos on how to set them up which is nice).

I was recommended building my own ELK stack and doing everything manually for maximum learning potential. Which I understand why this is a good idea, but I think I'd rather be as close to "baby's first SIEM" as possible or at least have a robust how-to guide.

What do you suggest?

12 comments

I would look at CISA’s Logging Made Easy project, which is based on Wazuh and Elastic with Kibana for visualization and dashboards.
https://github.com/cisagov/LME

Grafana Loki is very light on resources and simple to deploy in most cases.
Combine with Sigma detection rules (converted to LogQL queries using the Loki plugin) and you're off to the races.

SEIM? Do you mean SIEM, Secure Information and Event Management?
- Yes! Gods damn it. I had that up an everything on my second monitor.
  
  You can edit your posts, you know :)

Just a suggestion but take a look at this list… all of them should be either open source or at least free (trials, lite versions, etc.).
Find out what you use at work and see if there’s a trial version or if they use open source.
If not most of these tools are known and you may be able to find help online (forums, Lemmy, Reddit, etc.).
https://www.dnsstuff.com/free-siem-tools

Wazuh is popular. It's in use by name brand companies, FOSS and relatively turnkey.
Graylog is also a popular option.

I suggest skipping the devops part and instead starting with a course. If you go with setting it up you will probably spend 95% of the time doing devops and not security (which is usually the client of the devops team that maintains the SIEM)
- Got any recs? I can generally talk my company into paying for most anything education wise, but Udemy style courses work with my ADHD the best.
  
  Nothing that comes to mind, but simple search of the SIEM you are going to use in youtube and pirate bay should provide some good starters

Wazuh if you want a product instead of building it from scratch.
I'd give Greenbone a try too, I think it's most analogous to Nessus.

12 comments