Sunday, August 2, 2015

SIEM Deployment - Configuring Filtering on SmartConnectors

One of the big obstacles security analysts face when deploying SIEM solutions is that, once you ask system owners to send their "security related" logs to your log collectors, they misunderstand you and save everything.

There are also times that system owners really cannot eliminate junk logs (security wise of course).

Because of the fact that more logs mean more money spent (resources, licensing, storage, etc.) we have to eliminate those logs at same point. In this article, I will detail filtering out logs on SmartConnectors in this article, which is the best place to filter logs because it is the closest to the log source.

The first step of filtering should be deciding which logs you are going to filter. It is never bad to say it again, when collecting logs, do set your scenarios before and know what logs you need to fire your rules. All the rest is garbage, which you can eliminate at some level (source or SmartConnector).

In this example, I have chosen filtering out Microsoft Windows logs and the criterion, I use for it is the deviceEventClassId. You can filter your logs according to any criterion you want.

In order to start, we should run runagentsetup script under your <Connector_Home>\current\bin directory. For the sake of simplicity, I used a windows based SmartConnector for this demo.


In the next menu we choose "Modify Connector" option.


Then "Add, modify, or remove destinations" option should be chosen.


Step 4 is an important step to be well understood. Filtering operation, just like aggregation and other SmartConnector level modifications is made per destination, which means that filtering settings you made are only valid for the Logger or ESM that you choose at this step. If you want to do the filtering for a second destination, you should start over once more. This however and fortunately does not apply for failover destinations.


At step 5, "Modify destination settings" option is chosen.


The next menu is where we actually choose the operation we want to configure.


In the final configuration screen, we enter the parameters according to which we are going to filter the incoming logs. For this example, we are filtering out logs in which deviceEventClassId field contains "Microsoft-Windows-Security-Auditing:4674" or "Microsoft-Windows-Security-Auditing:5447".


If you want to learn more about Microsoft Windows Audit Events, I'd suggest you to visit this website and read this blog article.

Once this step is done, we click next and reach the final configuration screen.


Do not forget to restart your SmartConnector service in order to apply the filtering settings.


2 comments:

  1. Attractive component to content. I simply stumbled upon your weblog and in accession capital to assert that I acquire in fact
    enjoyed account your weblog posts. Anyway I'll be subscribing in your feeds or even I success
    you get admission to constantly quickly.

    Feel free to surf to my blog - Stormfall Hack Android

    ReplyDelete
  2. What's up to every one, because I am in fact eager of reading this webpage's post to be updated on a regular basis.
    It contains good data.

    ReplyDelete