2022-09-01 13:10:23
SIEMonster
Another popular open source SIEM is SIEMonster. This has a higher minimum requirement than OSSIM, with 32GB RAM and 8 VCPU’s of power recommended. However, the features available for free make this a great choice to learn. The product is built using the following features :
SIEMonster also allows you to monitor up to 100 endpoints / 5000 EPS for free – all you have to do is host the SIEM, with requirements obviously going up as you add digest more logs. See more information about the community edition here – https://siemonster.com/community-edition/
To download the community edition, please click here – https://siemonster.com/download-community-edition/
SIEMonster provide a large number of guides for free https://siemonster.com/videos/
SPLUNKSplunk is a software mainly used for searching, monitoring, and examining machine-generated Big Data through a web-style interface. During recent years, it has also became a popular SIEM tool for SOCs.
There is a process I believe that can be followed to learn Splunk very well free, this knowledge will also transfer well to other SIEMs.
1 Install free Splunk Trial (Lasts 60 days) – https://docs.splunk.com/Documentation/Splunk/latest/Installation/Whatsinthismanual (In most cases 2 vCPUs and 4GB of RAM will be fine, but allocate more if you can)
2 Go to https://github.com/splunk/botsv3 and scroll down to the required software. Install all of the recommended apps / addons following this guide https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall
3 Now download and install the BOTS (Boss of the SOC) v3 dataset at https://github.com/splunk/botsv3
4 You now have a Splunk install with various addons and data injested. There are a few ways you can use this setup.
I would first recommend following through the free Splunk Fundamentals 1 course using the Splunk Trial you have setup. See the free course / certification here – https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html
Once you are comfortable with Splunk, I would start working through the BOTS datasets. You already have the BOTS v3 dataset installed, you can get the BOTS v1 and v2 datasets here :
https://github.com/splunk/botsv1
https://github.com/splunk/botsv2
These datasets contain various logs including security events which are helpful for learning SIEM. If you would like the questions and answers which can be used along with these datasets (I highly recommend this) email bots@splunk.com and request the questions / answers to the 3 above datasets. You can then work through these challenges and learn how Security Analysts use SIEMs to find and identify security risks.
IBM QRadarQRadar IBM is one of the most popular, well known enterprise grade SIEMs. Due to this, there is a lot of free information out there on how to setup and learn it.
To start off with, you can install the QRadar Community Edition here. https://developer.ibm.com/qradar/ce/
The requirements are as follows : • Memory minimum requirements: 8 GB RAM or 10 GB w/applications
• Disk space minimum: 250 GB
• CPU: 2 cores (minimum) or 6 cores (recommended)
• One network adapter with access to the Internet is required
• A static public and private IP addresses is required for QRadar Community Edition
• The assigned hostname must be a fully qualified domain name
For help installing and setting up, follow
Jose Bravo’s Youtube channel is the single best source of QRadar content out there. He is an IBM employee (I believe) and has a very wide range of videos on all QRadar and general SIEM topics you could think of. I highly recommend taking time to go through his channel, you will learn a lot – https://www.youtube.com/channel/UCHrkReoBj-SRWJ15YXtyIxg
Once you have the QRadar installed, you can easily get some Windows or Linux logs ingested into the platform for you to use.
Windows –
Linux –
126 viewsAlireza Ghahrood, 10:10
C
