Compilation of SIEM labs | Poor Man’s SIEM (Event Viewer), LimaCharlie, ELK, Graylog, and more…

This post will outline my experience that I’ve had while experimenting with SIEM deployment and log analysis.

It will be uniquely structured from other posts. Each SIEM project will have a quick summary and link to a more thorough post as I write them. This will allow me to keep things expanding and future-proof. Check back for updates!

Poor Man’s SIEM (Event Viewer)

Link to post – Coming Soon…

Introduced by John Strand’s Active Defense and Cyber Deception Course, this post will walk through my experience in a “honey user” related lab exercise using Event Viewer to identify Windows user changes, as a “log”. Quick and easy deployment, matter of seconds to understand the benefits of a SIEM.

ELK EDR Exercise with Sysmon

Link to post – Coming Soon…

Showcased by John Strand, deployment of ELK using a Cloud Free Trial to deploy a solution that’s more industry standard. An agent is deployed on a Windows machine so that we can take advantage of integration to ingest Sysmon logs.

LimaCharlie EDR Exercise with Sysmon, Sliver Command and Control, Fun Payloads, Detection Engineering

Link to post – Coming Soon…

Showcased by Eric Capuano and Simply Cyber (Gerald Auger), we use LimaCharlie’s free tier EDR Solution. An agent is deployed on a Windows machine so that we can ingest Sysmon logs. We can then experiment with a Sliver C2 payload that can be executed on the Windows system, while also being able to analyze the “threat actor” via the EDR solution. By “threat actor”, I mean that we are simulating them via an attacker Ubuntu virtual machine.

Graylog and Kibana with pfSense

Link to post – Coming Soon…

This is part of my home project with pfSense. I successfully ingest my logs from pfSense into Graylog, an Open Source SIEM solution, and visualize the data with Kibana as a front end. The Graylog instance is running on an Ubuntu virtual machine.

Resources:

Nothing quite yet. This a post in its early stages.