Originally presented at BSidesDFW. Taking Graylog from Log Management to SIEM.

1. is the New Black
Megan Roddie

2. when
to_string($message.first_name) == “Megan” &&
to_string($message.last_name) == “Roddie”
then
set_field(“company”, “Recon InfoSec”);
set_field(“job_title”, “Security Analyst”);
set_field(“education”, “M.S., B.S., GCIH, GCIA”);
set_field(“twitter”, “@megan_roddie”);
end
rule “about me”

3. Graylog, SIEM, and
Logging 101

4. What is Graylog?
➥ Open source log management tool
➥ “Do more with your log data”
➥ @graylog2
➥ https://www.graylog.org/

5. What is a SIEM? Security
Information (and)
Event
Management
A single
pane of glass for
security

6. SIEM vs. Log Management

7. IT Data Management Maturity

8. Pipelines, stages, and
rules; oh my!

9. Pipeline
Hierarchy

10. Pipelines
“Pipelines are the central concept tying together
the processing steps applied to your messages.”

11. Stages
“Stages are groups of conditions and actions which
need to run in order. [...] Stages provide the
necessary control flow to decide whether or not to
run the remaining stages in a pipeline.”

12. Processing Rules
“Processing rules are simply conditions followed by
a list of actions, and do not have control flow by
themselves. ”

13. Processing Rules
Functions can:
➥ Add Stuff
➥ Remove Stuff
➥ Change Stuff

14. Processing Rule Syntax
rule "foobar"
when
<conditions>
then
<actions>
end

15. Visualizing Pipeline Flows

16. More on pipelines...
deep dive into processing pipelines
by Jan Doberstein
https://bit.ly/2JsqLJX

17. So you’ve got yourself
some logs & pipelines.
Now what?

18. Normalization
➥ src_ip
➥ source_ip
➥ SourceIP
➥ source
➥ src_addr
Source IP Log Fields
src_ip
➥ dest_ip
➥ dst_ip
➥ DestinationIP
➥ dest
➥ dst_addr
Destination IP Log Fields
dst_ip

19. Enrichment
➥ Threat Intel Plugin
○ RFC-1918 Check
○ Whois Lookup
➥ Geolocation
○ MaxMind GeoIP Lookup

20. Lookup Tables
“Imagination is the only limit”
- Jan Doberstein

21. Lookup Tables - Examples
➥ Correlate VM to Hypervisor
➥ Correlate switches and VLANs from CMDB
➥ Translate log “codes” to human readable
meaning
➥ Add Point of Contact from CMDB

22. Lookup Tables - Example

23. Lookup Tables - Example

24. More Enrichment
If you can think it, it can be done...

25. Threat Intel ➥ AlienVault OTX
➥ Tor Exit Nodes
➥ SpamHaus
➥ Abuse.ch
There’s an app for that!

26. Revisiting IT Data Management Maturity

27. Revisiting SIEM vs. Log Management

28. Conclusion...
Is Graylog a SIEM?
(by definition)
(IMHO)

29. Acknowledgements
Eric Capuano
➥ @eric_capuano
➥ Taught me all the things
Jan Doberstein
➥ @jalogisch
➥ Helped me understand
Graylog at a deeper level
Lennart Koopmann
➥ @_lennart
➥ Answered a lot of questions
and helped me solve a lot of
problems
BrakeSec #siem-logging
➥ @brakesec

30. Thank you!