Greetings fellow adventurers!

In today’s CySA bootcamp class, we delved into the realm of SIEMs, or Security Information and Event Management systems. These powerful tools are essential for detecting and analyzing security events in a network environment. Here’s a summary of what we learned:

First, we explored the concept of data normalization. In the land of SIEMs, data comes from various sources such as agents, listeners/collectors, and endpoint logs. It’s important to normalize this data into a consistent format so it can be properly analyzed.

Next, we learned about the different types of analysis that can be performed using a SIEM. From conditional and heuristic analysis to anomaly detection and machine learning, there are many ways to sift through the vast amounts of data that a SIEM can collect.

But what good is all this analysis without proper visualization and key performance indicators? We learned that having a good understanding of the data and how to present it is crucial to making informed security decisions.

Last but not least, we delved into the mystical art of rule and query writing. In the magical land of OSSIM, the possibilities for writing SIEM rules and queries are endless. Here are a few examples of the spells we learned:

Example Rule 1: If a user fails to log in 5 times in 1 minute, create an alert.
Example Rule 2: If a user accesses a sensitive file outside of business hours, create an alert.
Example Query: Show all failed login attempts from IP address 192.168.1.100 in the past 24 hours.

With these powerful tools at our disposal, we can detect and thwart potential security threats before they have a chance to wreak havoc on our network. Stay tuned for more exciting adventures in the world of cybersecurity!