10/26/2020 A SIEM solution

implementation

Prepared By:

Kais Slimeni
Maher Hannachi

TEK-UP University 2020

Contents
General Introduction...............................................................................................................5
Chapter 1: SIEM.....................................................................................................................6
Introduction ........................................................................................................................6
1.1 SIEM.........................................................................................................................6
1.1.1 SIEM Definition .................................................................................................6
1.1.2 SIEM Examples .................................................................................................6
1.1.3 SIEM location in the infrastructure .....................................................................6
1.1.4 SIEM Process .....................................................................................................7
1.2 Splunk Enterprise Security ........................................................................................7
1.2.1 Key Features ......................................................................................................8
1.2.2 Splunk roles .......................................................................................................8
1.1.1 Splunk Indexes ...................................................................................................8
1.1.2 Search and reporting ...........................................................................................9
Conclusion ....................................................................................................................... 10
Chapter 2 : Splunk Implementation ................................................................................. 11
Introduction ...................................................................................................................... 11
2.1 Project Design ......................................................................................................... 11
2.2 Splunk Universal Forwarder Installation .................................................................. 12
2.2.1 Client 1: Ubuntu machine ................................................................................. 12
2.2.2 Client 2: Kali machine ...................................................................................... 13
2.2.3 Client 3: Windows machine .............................................................................. 14
2.3 Splunk Server Installation ........................................................................................ 18
2.4 Indexing .................................................................................................................. 22
2.5 Deployment server (forwarders management) .......................................................... 23
2.6 Apps installation ...................................................................................................... 25
2.6.1 Deploymentclient.conf file ............................................................................... 26
2.6.2 Inputs.conf ....................................................................................................... 26
2.7 Dashboard & Log Analysis ...................................................................................... 29
2.8 Alerts ...................................................................................................................... 31
Conclusion ....................................................................................................................... 36

1
General Conclusion .............................................................................................................. 37
Bibliography......................................................................................................................... 38

2
Figures table
Figure 1 : SIEM in infrastructure ...........................................................................................6
Figure 2 : Indexing .................................................................................................................8
Figure 3 : Searching with indexes ...........................................................................................9
Figure 4 : Splunk Searching Language.................................................................................. 10
Figure 5 : Splunk Universal Forwarder ................................................................................. 12
Figure 6 : Universal forwarder installation ............................................................................ 12
Figure 7 : Config of the receiving server ............................................................................... 12
Figure 8 : Client 1 Monitored Files ....................................................................................... 13
Figure 9 : Client 3 monitored files ........................................................................................ 14
Figure 10 : Download windows Splunk universal forwarder ................................................. 14
Figure 11 : Windows Splunk universal forwarder installation ............................................... 15
Figure 12 : Windows logs to be forwarded............................................................................ 15
Figure 13 : Set the deployment server IP address .................................................................. 16
Figure 14 : Username creation .............................................................................................. 16
Figure 15 :Configure the receiving server IP address and the listen port ................................ 17
Figure 16 : Installation finished ............................................................................................ 17
Figure 17 : Splunk Downloading .......................................................................................... 18
Figure 18 : Username and password creation ........................................................................ 19
Figure 19 : Splunk web interface address .............................................................................. 19
Figure 20 : Splunk web page................................................................................................. 19
Figure 21 : Splunk server configuration ................................................................................ 20
Figure 22 : Splunk server listen port configuration................................................................ 20
Figure 23 : Received log from the three clients ..................................................................... 21
Figure 24 : Source of the received logs ................................................................................. 21
Figure 25 : Creation new index ............................................................................................. 22
Figure 26 : Linux & Windows indexes ................................................................................. 23
Figure 27 : Add new server class .......................................................................................... 24
Figure 28 : Add new clients .................................................................................................. 24
Figure 29 : Add new App to server class ............................................................................... 25
Figure 30 : Installed Apps..................................................................................................... 25
Figure 31 : Deploymentclient.conf file.................................................................................. 26
Figure 32 :Linux input.conf File .......................................................................................... 27
Figure 33 : Windows Evnet viewer ....................................................................................... 27
Figure 34 : Windows input.conf file...................................................................................... 28
Figure 35 : Windows Event Log Analysis App ..................................................................... 29
Figure 36 : App installation .................................................................................................. 29
Figure 37 : Windows log events dashboard ........................................................................... 30
Figure 38 : Alerts configuration ............................................................................................ 32
Figure 39 : Receive Email configuration ............................................................................... 33

3
Figure 40 : Alert rules created............................................................................................... 34
Figure 41 : Brute force attack on kali machine client ............................................................ 34
Figure 42 : Valid credentials found successfully ................................................................... 35

4
 General Introduction

In today's global digital economy, monitoring and protecting your business data
from increasingly sophisticated cyber threats is essential. And it's a safe bet that
your business has more data to process than it has ever had before. for that, the
SIEM is created.

The protection of corporate IT infrastructures against cyber-attacks is becoming

a more and more demanding task. Trends like Industry 4.0 and Internet of Things
transform today’s IT-landscapes into a complex and mazy structure with a growing
amount of attack points. In most mid to large size companies, a Security
Operations Center (SOC) is established to gain a holistic and centralized view on
IT security and to enable fast reactions in case of an incident

5
 Chapter 1: SIEM
Introduction
In order to achieve a high level of cyber security awareness most mid to large sized
companies use Security Information and Event Management (SIEM) embedded into a Security
Operations Center. These systems enable the centralized collection and analysis of security
relevant information generated by a variety of different systems, to detect advanced threats and
to improve reaction time in case of an incident.

1.1 SIEM
1.1.1 SIEM Definition

SIEM stands for Security Information and Event Management or management of security
information and events. SIEM can be defined as real-time event collection, monitoring,
correlation, and analysis of events across disparate sources.

1.1.2 SIEM Examples

▪ SolarWinds Security Event Manager

▪ Under Defense Co-managed SIEM
▪ Datadog Security Monitoring
▪ ManageEngine Event Log Analyzer
▪ Splunk Enterprise Security

1.1.3 SIEM location in the infrastructure

Figure 1 : SIEM in infrastructure

6
 1.1.4 SIEM Process

Figure 2 : SIEM Process

SIEM collects security data from network devices, servers, domain controllers, and more.
Then it stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect
threats, and enable organizations to investigate any alerts.

1.2 Splunk Enterprise Security

Splunk is one of the most popular SIEM management solutions in the world. What sets it
apart from the competition is that it has incorporated analytics into the heart of its SIEM.

7
Network and machine data can be monitored on a real-time basis as the system scours for
potential vulnerabilities and can even point to abnormal behavior. Enterprise Security’s Notables
function displays alerts that can be refined by the user.

Splunk captures indexes and correlates real-time data in a searchable repository from which it
can generate graphs, reports, alerts, dashboards, and visualizations.

1.2.1 Key Features

▪ Event log Dashboards

▪ Deployed on windows, Linux & cloud
▪ Real-time network monitoring
▪ Asset Investigator
▪ Historical analysis

1.2.2 Splunk roles

▪ Admin
▪ Power
▪ User

1.1.1 Splunk Indexes

Splunk indexes are where Splunk stores events data for searching. Splunk administrators will
often use multiple indexes to segregate data.

As an example, there might be an index for our web data and one for our security data.
Having users only search the index that contains the events they need can make search more
efficient.

Figure 3 : Indexing

8
 ▪ An administrator can also use indexes to limit access to specific roles for security reasons
or for web reasons
▪ Indexes are searched by using the field name of “index” and the name of index to search
as the field value. It’s possible to search multiple indexes at the same time.

By default, all external events go to the index called main. However, you might want to send
some events to other indexes. For example, you might want to route all data from a particular
input to its own index. Or you might want to segment data or send event data from a noisy source
to an index that is dedicated to receiving it.

To send events to a specific index, the index must already exist on the indexer. If you route
any events to an index that doesn't exist, the indexer will drop those events.

Figure 4 : Searching with indexes

1.1.2 Search and reporting

We can specify a keyword to start our searching like "fail* AND password 22”

9
 Figure 5 : Splunk Searching Language

Click Search History to view your past search history. Unlike jobs, which save the results of
your search for a short time, here you only see your search criteria, which are saved for a long
time. You will often have many searches. You can filter by time or content to find a search.

Conclusion
SIEM products and services fulfill two functions: centralize security logs and reporting within
an organization, and assist in the detection, analysis, and control of security incidents. And to
reach that functions, we choose to implement and configure Splunk Enterprise on a virtual
environment.

10
Chapter 2 : Splunk Implementation

Introduction
In this chapter, we will present the conception of our project as Diagram to make easier its
comprehension and its presentation.

2.1 Project Design

Our project consists to implement 3 clients (Linux, windows 10 & Kali) connected and
forwards its events log to a Splunk server machine for monitoring and parsing those events in
real time to prevent any type of attacks. We installed in the Splunk server a “Forwarders
management “for ease manage the clients remotely from the server and we implemented a
dashboard for ease monitoring and parsing of the received event log for windows machines. And
regarding the Linux machines we configure alerts to detect any fail login, unauthorized access
and the brute force attacks.

11
 2.2 Splunk Universal Forwarder Installation
2.2.1 Client 1: Ubuntu machine

Download Splunk Universal forwarder from the official site.

Figure 6 : Splunk Universal Forwarder

Extract it to the destination folder in the Ubuntu client machine with name “Linux” with the
command:

# sudo tar xvzf splunk-8.0.4.1-ab7a85abaa98-Linux-x86_64.tgz -C /opt

Figure 7 : Universal forwarder installation

Once the installation was completed, the configuration of the receiving server with ip
192.168.205.150 done with the command line as mentioned with the below command.

Figure 8 : Config of the receiving server

To assure the event log monitoring, we configure the log type to be forwarded to the splunk
server. The files we want to monitor are:

12
 o Syslog file
o Auth.log file
o Boot.log file

Figure 9 : Client 1 Monitored Files

2.2.2 Client 2: Kali machine

Configure kali machine to forward log to the Splunk server 192.168.205.150 with the
receiving port 8001

To assure the event log monitoring, we configure the log type to be forwarded to the splunk
server. The files we want to monitor are:

o Auth.log
o Syslog
o Messages
o Faillog
o Boot.log

13
 Figure 10 : Client 3 monitored files

2.2.3 Client 3: Windows machine

Download the .msi file from the official site

Figure 11 : Download windows Splunk universal forwarder

We Select the “Check this box“to accept the License Agreement check box.

14
 Figure 12 : Windows Splunk universal forwarder installation

We enter the username and password into the Username and Password fields.

We select the windows event logs that we will monitor with splunk server

Also, we can monitor AD or to choose a specified file to monitor with file path.

Figure 13 : Windows logs to be forwarded

15
Username and password creation
Username: kais
Password: ********
Set the deployment server IP address and port

Figure 14 : Set the deployment server IP address

Figure 15 : Username creation

16
We define the receiving splunk server IP address and the listen port

Figure 16 :Configure the receiving server IP address and the listen port

Installation finished

Figure 17 : Installation finished

17
 2.3 Splunk Server Installation

The first step is to download Splunk enterprise from the official website and extract it to the
destination folder in the server machine kali-hacking20 with the command:

# sudo tar xvzf splunk-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz -C /opt

Figure 18 : Splunk Downloading

Splunk web interface configuration

To run Splunk, we use start command and we use the argument –accept-license to accept the
license under the folder /opt/splunk/bin

# ./splunk start –accept-license

After accepting the licence agreements, a Username & password need to be created and keys
were generated

18
Username: kais
Password: *********

Figure 19 : Username and password creation

Once completed, the web interface address will be displayed: http://kali-hack:8000

Figure 20 : Splunk web interface address

Splunk web page displayed with the configured web address

Figure 21 : Splunk web page

19
Configuration of the splunk server

Figure 22 : Splunk server configuration

Configure the listen port

Figure 23 : Splunk server listen port configuration

Now we must go to the server machine to verify if it’s receives the logs.

20
 Figure 24 : Received log from the three clients

The universal forwarders are connected to the Splunk server and forwards the logs.

Figure 25 : Source of the received logs

21
 2.4 Indexing

With the main menu, we create new indexes (windows & Linux) to stores events data for easy
searching and to segregate data.

Figure 26 : Creation new index

The indexes were created with max size 500Mo

22
 Figure 27 : Linux & Windows indexes

2.5 Deployment server (forwarders management)

The deployment server is the tool for distributing configurations, apps, and content updates to
groups of Splunk Enterprise instances. Deployment server installation make more easy the
forwarders management from the remote Splunk server

Figure 28 : Deployment server Architecture

We install the deployment server with 2 server class that can contains one or more machines

1. Linux_clients
2. Windows_clients

23
 Figure 29 : Add new server class

Figure 30 : Server classes

After server class creation, we can edit it to add clients IP address to be monitor to the
whitelist as shown below:

Figure 31 : Add new clients

24
 Also, we can edit apps to select the app to be added to those machines in this server class.

Figure 32 : Add new App to server class

2.6 Apps installation

Apps provide an optimized work environment. With apps, users of any type can troubleshoot
problems or discover opportunities with ease. Apps typically provide:

• Pre-built dashboards, reports, alerts and workflows

• In-depth data analysis for power users

Path: $SPLUNK_HOME /etc/deployment-apps

Figure 33 : Installed Apps

25
 2.6.1 Deploymentclient.conf file

Path: /opt/splunkforwarder/etc/system/local

Responsible for the check if the client still alive or not.

Figure 34 : Deploymentclient.conf file

2.6.2 Inputs.conf

You can use inputs.conf to monitor files and directories with Splunk Enterprise. Inputs.conf
provides the most configuration options for setting up a file monitor input.

we can also specify:

 Index: where you want to index the logs (Linux, windows,)

 source type of the log (linux_secure, windows security, …)
 source of the log (auth.log, boot.log, syslog)
 Enable / Disable an attribute

Paths:

$SPLUNK_HOME/etc/deployment-apps/linux_logs/local/Inputs.conf
$SPLUNK_HOME/etc/deployment-apps/windows_logs/local/Inputs.conf

26
 Figure 35 :Linux input.conf File

For windows we can use the default source type log specified into Event Viewer application

Figure 36 : Windows Eventt viewer

27
In our project, we specified just 3 windows event Log in inputs.conf file :

 WinEventLog://Application
 WinEventLog://Security
 WinEventLog://System

Figure 37 : Windows input.conf file

28
 2.7 Dashboard & Log Analysis

The Windows Event Log Analysis app provides an intuitive interface to the Windows event
logs collected by the Splunk Universal Forwarder for Windows

Download from the official site

Figure 38 : Windows Event Log Analysis App

From Splunk search & reporting field we select “install app from file” to select the
downloaded file and then continue the installation procedure

Figure 39 : App installation

After installation of Window Event Log Analysis App, a dashboard is created for ease
manage the received log events.

29
Figure 40 : Windows log events dashboard

30
 - The dashboard shows Real time log analysis
- We can filter logs by time, for example we need just to analyze logs from the last week or
the last month
- We can export a PDF reports or to schedule a PDF delivery for example every midnight a
report sent to the responsible.
- We can also edit the locations of the displayed panels, add panel, move, maximize,
minimize, change colors, dark background or white background etc.
- As you see, the windows event log analysis parses the received log and filter it Errors
logs, warnings logs, informational logs, Audit, Failure logon
- You can see also a very important panel or a critical panel “Accounts with 3 or more
failed logons”, this panel shows us the number of the failed logon for each account, Atef
total attempts 32 attempts, we put our attention on Islam account, we see that this account
make a huge attempts number 119 attempts in the last short period,
We can pull out more details for this account by simple click on Islam account , as you see
that the source of the result is search with Splunk language, index where stored the events
of the client windows 10, the source of the events, the failure reason and the user, we can
find the time of each attempt and more details.
The parsing shows us that this account maybe in attack and a best practice should be
implemented like password hardening for example the account locked at 3 failed logon to
prevent the brute force attack.
- Top computers generating events: we can see here all monitored windows machine and
the percentage of the events generated by those machines.

Windows events over time: we can see the time or the days that the client generate a huge
event log here Monday 31 August 2020 the top day of generated events.

2.8 Alerts

We create an alert with Splunk search language for monitoring any failed password for all
accounts or any attempts greater than or equal to 4 attempts to gain unauthorized access on Linux
machines

31
 Figure 41 : Alerts configuration

Also, we configure the email that will receive the alerts as a report that have a high priority
and the expiration date

Receive email: [email protected]

Sender email: [email protected]

We integrated in that alert email a:

 link to the alert

 CSV file
 PDF file
 Table

32
 Figure 42 : Receive Email configuration

After alert configuration, we need to enable it, and you can edit the alert or it’s permission,
move or delete it.

33
 Figure 43 : Alert rules created

The next step, we perform a brute force attack on the remote administration protocol SSH for
Linux machine with the tool Nmap

nmap --script ssh-brute -p22 192.168.205.131 --script-args userdb=users.txt,passdb=passwords.txt

This command allows the combination of all the login and password possibilities of the two
files users.txt and passwords.txt

Figure 44 : Brute force attack on kali machine client

Brute force completed and valid credentials were found successfully.

34
 Figure 45 : Valid credentials found successfully

After this attack, an alert generated, and an email sent with generated csv and pdf reports and
the source IP address to the configured email.

Figure 46 : Receive Alert Email

35
 Conclusion

we have presented, in this chapter our project design and the procedures of Splunk universal
forwarders installation ubuntu kali and windows. Also, we have showed the Splunk server
installation and configuration that allow us to monitor the critical incidents in real time with
dashboards & alerts.

36
 General Conclusion

SIEM (Security Information and Event Management) is defined as the real-time collection,
monitoring, correlation and analysis of events from disparate sources. Today's SIEM solutions
enable your business to respond quickly and accurately to any threat or data breach.

A SIEM solution provides management, integration, correlation and analysis in one place,
making it easy to monitor and troubleshoot your IT infrastructure in real time.

37
Bibliography

https://docs.splunk.com/Documentation

https://docs.splunk.com/File:Deployment2-small_60.png

https://www.researchgate.net/publication/337946451_A_Security_Information_and_Event_M
anagement_Pattern

https://www.varonis.com/blog/what-is-siem/

38