SIEM Integration
SIEM solutions handle log management, correlation, and alerting, and are the foundation of a Security Operation Center (SOC). A SIEM consumes data from logs and other sources. To accomplish this, it needs integrations with each data source.
There are two general methods of SIEM integration:
- Push integration is the method in which assets that generate logs send those to the SIEM via the Syslog protocol.
- Pull integration involves the SIEM solution pulling data from device databases using JDBC or similar pull protocols.
This article will discuss what infrastructure assets should integrate with SIEM, best practices for SIEM integrations, and an example of integrating a Linux machine with Wazuh, an open-source SIEM.
Summary of key SIEM integration concepts
The table below summarizes the different SIEM integration categories, types, and assets required for a mature SOC.
SIEM Integrations
| Category | Type | Assets |
|---|---|---|
| Security Tools | EndPoint Solutions | EndPoint Protection ( EPP ) |
| EndPoint Detection and Response ( EDR ) | ||
| Firewalls | Edge Firewalls ( NGF ) | |
| Web Application Firewalls ( WAF ) | ||
| Segmentation Firewalls | ||
| VPN Firewalls | ||
| Privileged User | Privilege and Access Management ( PAM ) | |
| Network Devices | Routers | Core Router |
| Switches | Core Switch | |
| Exchanges | Email Exchange | |
| Servers | Operating Systems | Windows |
| Linux | ||
| Applications | Standard | Active Directory |
| Customized | Business Applications |
SIEM integration with different assets
Security engineers should integrate these four asset types with SIEM:
- Security Tools
- Network Devices
- Server or Virtual Machines
- Applications
Let’s go through each, looking at their subcategories and challenges.
Security tools
The most important devices to integrate with a SIEM solution are other security solutions already in your infrastructure. These tools are an ideal source for security-focused information, so SIEM engineers should integrate them as a top priority.
Endpoint security solutions
In mature organizations, two endpoint protection technologies are available, EPP and EDR. Both of these solutions are important to integrate with SIEM as the endpoint is the vertical where the attack executes. Defending endpoints strengthens an organization’s perimeter, thwarting attackers before they can get into your systems.
Endpoint solutions, either EPP or EDR, are usually integrated through pull integrations, as the log must be fetched from the database of the EPP or EDR. The challenging part of endpoint security SIEM integration is handling authorization tokens and certificates. SIEM engineers need to ensure the required ports are open, certificates are on the same version, and encryption is working properly.
Firewall devices
Firewalls are the essential security tools that every organization has and are the easiest to integrate because of the various guides and out-of-the-box availability of almost all popular firewall brands with popular SIEM brands. Usually the firewalls are Linux based and easily integrated by using the push mechanism through Syslog.
Since firewalls are the main component of the security architecture that looks after the traffic, ensuring that only the required category of logs pertaining to security use cases are forwarded to SIEM is essential. Otherwise, EPS throttling and noisy logs can degrade SIEM performance.
Privileged user
Admin accounts are the treasure that every attacker is looking for. Compromising these privileged accounts allows attackers to control a target completely. So after taking care of the endpoints and network traffic, SIEM engineers should focus on integrating privilege-controlling tools like PAM Solutions. Some popular PAM solutions are integrated through pull techniques, while others are integrated through push mechanisms.
Network devices
The core benefit of a SIEM solution is that SOC analysts can dig down during investigations and track an attacker’s steps. Integration of core network devices is essential and provides in-depth analysis support for this purpose.
Core switches and routers
Routers and switches are sometimes separate appliances. In other cases, a single appliance performs both functions. As these devices deal with data in motion, their integration with SIEM allows analysts to investigate and track down the botnets and C&C communications.
These devices are integrated with SIEM through tapping solutions or other similar workarounds. However, it’s essential to understand the SIEM licensing model before integrating since some SIEM solutions require separate licenses for flow capturing and parsing.
Email exchanges
Due to the prevalence of phishing to gain footholds into systems, email security is a top priority.
Email exchange or email security solutions are highly diverse in terms of integrations. Some organizations use cloud email services, and some have their own exchange servers. For on-prem solutions, push integrations perform better; for cloud, pull provides an advantage.
One important note for SIEM engineers regarding email security solutions integration is to ensure the sanitization of the information in logs to avoid violation of user privacy compliances.
Servers
Integration of servers with SIEM is a subjective thing concerning the business nature of the organization. Sometimes organizations cover them through EDR solutions and do not integrate data center servers directly. However, when EDR is not implemented, or integration of servers is a mandatory compliance requirement, SIEM engineers must incorporate them.
Most SIEM brands offer agent base integration of servers which makes it quite easy to integrate. You must push an agent on all the servers through SCCM or Active Directory. Once the agent is on the server, adding the SIEM Collector IP in the agent automatically connects the server with SIEM and starts sending logs.
In the cases where agents are not supported or compatible, Syslog is the alternate solution.
Applications
Applications are the assets where the business of any organization operates. Some applications are standard across all organizations, like Active Directory, which is essential for any organization with a sizable number of employees.
Active Directory is a Windows-based application, so its integration procedure is the same as any Windows server. However, the AD audit policy configuration must be tweaked for specific user monitoring use cases.
In the case of custom applications like Enterprise Resource Planning (ERP ) solutions, banking applications, and Customer Relationship Management ( CRM ) software, out-of-the-box integrations are not available. Hence these integrations are the toughest and involve custom parsing, and mapping.
The usual process to integrate such applications is to sanitize logs, gather them into a flat file, forward them to a SIEM through Syslog, and then write custom parser or normalization policies in SIEM. If the application allows direct connection with its database table, JDBC logs can be directly fetched and sent to SIEM.
A logical overview of a custom application SIEM integration.
How to integrate a Kali Linux system with a SIEM
The integration process differs a bit in each SIEM. However, the basic concepts are the same for all. For this tutorial, we will use the open-source Wazuh SIEM and the open-source Kali Linux OS.
Note: It is assumed that you already have a SIEM machine deployed and running; the following procedure is to be performed on the Linux endpoint
1. Login on Linux machine as a root user:
2. Execute the following command to curl Wazuh package:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add –
3. Execute the following echo command:
echo “deb https://packages.wazuh.com/4.x/apt/ stable main” | tee -a /etc/apt/sources.list.d/wazuh/list
4. Execute the following command to update your package sources:
apt-get update
5. Execute the following command to install agent and replace the IP address with your Wazuh manager IP:
WAZUH_MANAGER=”192.168.1.149” apt-get install wazuh-agent
6. Execute the following commands to load the Wazuh services:
systemctl daemon-reload
systemctl enable wazuh-agent
systemctl start wazuh-agent
Effectively automate alert triage and response
Expedite repetitive security tasks and focus on high-priority threats
Increase security team productivity and reduce alert fatigue
Conclusion
SIEM integration is one of the most critical processes in developing a mature Security Operations Center. The key to a high-performing SIEM and an effective security operation center is to select the assets that need to be integrated from the infrastructure, followed by the right logging configuration or baselining to reduce noise.