{"id":7454,"date":"2025-11-17T20:06:38","date_gmt":"2025-11-17T18:06:38","guid":{"rendered":"https:\/\/scalemedia.co.za\/cybermedia\/?p=7454"},"modified":"2025-11-20T12:10:08","modified_gmt":"2025-11-20T10:10:08","slug":"security-monitoring-siem-fundamentals-module","status":"publish","type":"post","link":"https:\/\/scalemedia.co.za\/cybermedia\/security-monitoring-siem-fundamentals-module\/","title":{"rendered":"Security Monitoring &amp; SIEM Fundamentals Module"},"content":{"rendered":"\n<div class=\"wp-block-aioseo-table-of-contents\">\r\n<ul>\r\n<li><a href=\"#siem-definition-and-fundamentals\">SIEM Definition &amp; Fundamentals<\/a>\r\n<ul>\r\n<li><a href=\"#what-is-siem\">What Is SIEM?<\/a><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><a href=\"#siem-visualization-example-1-failed-logon-attempts-all-users\">SIEM Visualization Example 1: Failed Logon Attempts (All Users)<\/a>\r\n<ul>\r\n<li><a href=\"#developing-our-first-dashboard-and-visualization\">Developing Our First Dashboard &amp; Visualization<\/a><\/li>\r\n<li><a href=\"#refining-the-visualization\">Refining The Visualization<\/a><\/li>\r\n<\/ul>\r\n<\/li>\r\n<li><a href=\"#siem-visualization-example-2-failed-logon-attempts-disabled-users\">SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)<\/a><\/li>\r\n<li><a href=\"#siem-visualization-example-3-successful-rdp-logon-related-to-service-accounts\">SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts<\/a><\/li>\r\n<li><a href=\"#siem-visualization-example-4-users-added-or-removed-from-a-local-group-within-a-specific-timeframe\">SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)<\/a><\/li>\r\n<\/ul>\r\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"siem-definition-and-fundamentals\">SIEM Definition &amp; SIEM Fundamentals<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"what-is-siem\">What Is SIEM?<\/h3>\n\n\n\n<p>Crucial within the realm of computer protection, Security Information and Event Management (SIEM) encompasses the utilization of software offerings and solutions that merge the management of security data with the supervision of security events. These instruments facilitate real-time evaluations of alerts related to security, which are produced by network hardware and applications.<\/p>\n\n\n\n<p>SIEM tools possess an extensive range of core functionalities, such as the collection and administration of log events, the capacity to examine log events and supplementary data from various sources, as well as operational features like incident handling, visual summaries, and documentation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"siem-visualization-example-1-failed-logon-attempts-all-users\">SIEM Visualization Example 1: Failed Logon Attempts (All Users)<\/h2>\n\n\n\n<p>Dashboards in SIEM solutions serve as containers for multiple visualizations, allowing us to organize and display data in a meaningful way.<\/p>\n\n\n\n<p>In this and the following sections, we will create a dashboard and some visualizations from scratch.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"developing-our-first-dashboard-and-visualization\">Developing Our First Dashboard &amp; Visualization<\/h3>\n\n\n\n<p>When visiting the Dashboard page again we will be presented with a message indicating that no dashboards currently exist. Additionally, there will be an option available to create a new Dashboard and its first visualization. To initiate the creation of our first dashboard, we simply have to click on the &#8220;Create new dashboard&#8221; button.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FLpBYVsx8IKCv1yGgEkyF%252Fdashboard.webp%3Falt%3Dmedia%26token%3D4e383c1b-26b7-46d0-a2e4-30a515f98bc5&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=44f45b40&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now, to initiate the creation of our first visualization, we simply have to click on the &#8220;Create visualization&#8221; button.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZx4QQGhmjMk6Wk5hDLYp%252Fvisualization.webp%3Falt%3Dmedia%26token%3D2bdbafbc-b10b-4b21-9fa9-e3bede5c7cba&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=7512011a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Upon initiating the creation of our first visualization, the following new window will appear with various options and settings.<\/p>\n\n\n\n<p>Before proceeding with any configuration, it is important for us to first click on the calendar icon to open the time picker. Then, we need to specify the date range as &#8220;last 15 years&#8221;. Finally, we can click on the &#8220;Apply&#8221; button to apply the specified date range to the data.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FwlmyJV51p8yOovbQ7ER4%252Fvisualization1.webp%3Falt%3Dmedia%26token%3D920c5fd2-1a9a-4999-9ff4-87f3312cf54e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=f0309402&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>There are four things for us to notice on this window:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A filter option that allows us to filter the data before creating a graph. For example, if our goal is to display failed logon attempts, we can use a filter to only consider event IDs that match <code>4625 \u2013 Failed logon attempt on a Windows system<\/code>. The following image demonstrates how we can specify such a filter.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F82gqpR7Wiep5Rb25AoUF%252Fvisualization2.webp%3Falt%3Dmedia%26token%3D9bee20f5-8112-4dff-b9d0-86ead6417b1b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=e65f8a8b&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\">\n<li>This field indicates the data set (index) that we are going to use. It is common for data from various infrastructure sources to be separated into different indices, such as network, Windows, Linux, etc. In this particular example, we will specify <code>windows*<\/code> in the &#8220;Index pattern&#8221;.<\/li>\n\n\n\n<li>This search bar provides us with the ability to double-check the existence of a specific field within our data set, serving as another way to ensure that we are looking at the correct data. For example, let&#8217;s say we are interested in the <code>user.name.keyword<\/code> field. We can use the search bar to quickly perform a search and verify if this field is present and discovered within our selected data set. This allows us to confirm that we are accessing the desired field and working with accurate data.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FLO1uBsvV59aRoGzZ90dw%252Fvisualization11.webp%3Falt%3Dmedia%26token%3De62c33cb-2b61-4637-bc00-e8acc29b1fe8&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=1fb2bc9d&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>&#8220;Why <code>user.name.keyword<\/code> and not <code>user.name<\/code>?&#8221;, you may ask. We should use the <code>.keyword<\/code> field when it comes to aggregations. Please refer to this <a href=\"https:\/\/stackoverflow.com\/questions\/48869795\/difference-between-a-field-and-the-field-keyword\" target=\"_blank\" rel=\"noopener\">stackoverflow question<\/a> for a more elaborate answer.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Lastly, this drop-down menu enables us to select the type of visualization we want to create. The default option displayed in the earlier image is &#8220;Bar vertical stacked&#8221;. If we click on that button, it will reveal additional available options (image redacted as not all options fit on the screen). From this expanded list, we can choose the desired visualization type that best suits our requirements and data presentation needs.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FNy7rZwsXIEkBIWT1GcWs%252Fvisualization4.webp%3Falt%3Dmedia%26token%3D6e522fdb-ad6d-4c0a-81af-5f38d268cc0f&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=66d0833f&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>For this visualization, let&#8217;s select the &#8220;Table&#8221; option. After selecting the &#8220;Table&#8221;, we can proceed to click on the &#8220;Rows&#8221; option. This will allow us to choose the specific data elements that we want to include in the table view.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FIM4aTU17AvmBekSa4RYo%252Fvisualization5.webp%3Falt%3Dmedia%26token%3Dba273822-d47b-4947-8d81-4a0a38a5b495&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=e6914e07&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Let&#8217;s configure the &#8220;Rows&#8221; settings as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fy590RblpiNfsqP5QD1yu%252Fvisualization6.webp%3Falt%3Dmedia%26token%3D5f140afe-0df7-4f87-86d5-b783cec79a83&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9864ef07&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: You will notice <code>Rank by Alphabetical<\/code> and not <code>Rank by Count of records<\/code> like in the screenshot above. This is OK. By the time you perform the next configuration below, <code>Count of records<\/code> will become available.<\/p>\n\n\n\n<p>Moving forward, let&#8217;s close the &#8220;Rows&#8221; window and proceed to enter the &#8220;Metrics&#8221; configuration.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FePDPkpT8HDDqzQPDnCO8%252Fvisualization7.webp%3Falt%3Dmedia%26token%3D145f50d9-8dd3-4ed7-b0ae-d8567855189e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9b79bef5&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>In the &#8220;Metrics&#8221; window, let&#8217;s select &#8220;count&#8221; as the desired metric.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FiaVIVNmJzIIwhzVMhtDO%252Fvisualization8.webp%3Falt%3Dmedia%26token%3Da8521531-b8d1-4d38-b420-ee5f6d57de8e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=71e0c692&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>As soon as we select &#8220;Count&#8221; as the metric, we will observe that the table gets populated with data (assuming that there are events present in the selected data set)<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FK5stFmDoyKaR3sEA6aIe%252Fvisualization9.webp%3Falt%3Dmedia%26token%3D1051dbc6-fa08-40bb-a51f-7e2a013fc482&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=76d96a84&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>One final addition to the table is to include another &#8220;Rows&#8221; setting to show the machine where the failed logon attempt occurred. To do this, we will select the <code>host.hostname.keyword<\/code> field, which represents the computer reporting the failed logon attempt. This will allow us to display the hostname or machine name alongside the count of failed logon attempts, as shown in the image.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FOeoMGCP8NcodeGoNTUMs%252Fvisualization12.webp%3Falt%3Dmedia%26token%3D1ddb506e-673c-42df-b721-921e54f7195b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=c7d8a077&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"refining-the-visualization\">Refining The Visualization<\/h3>\n\n\n\n<p>Suppose the SOC Manager suggested the following refinements:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Clearer column names should be specified in the visualization<\/li>\n\n\n\n<li>The Logon Type should be included in the visualization<\/li>\n\n\n\n<li>The results in the visualization should be sorted<\/li>\n\n\n\n<li>The DESKTOP-DPOESND, WIN-OK9BH1BCKSD, and WIN-RMMGJA7T9TC usernames should not be monitored<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/fundamentals\/service-accounts-computer\" target=\"_blank\" rel=\"noopener\">Computer accounts<\/a> should not be monitored (not a good practice)<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s refine the visualization we created, so that it fulfills the suggestions above.<\/p>\n\n\n\n<p>Navigate to <code>http:\/\/[Target IP]:5601<\/code>, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;.<\/p>\n\n\n\n<p>The dashboard we previously created should be visible. Let&#8217;s click on the &#8220;pencil&#8221;\/edit icon.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FdkJcr0nZr9gp0nq06VtM%252Fvisualization16.webp%3Falt%3Dmedia%26token%3Dde427c2e-a1dc-4474-a73b-df5f47176ac2&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=8c5c84ea&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Let&#8217;s now click on the &#8220;gear&#8221; button at the upper-right corner of our visualization, and then click on &#8220;Edit lens&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fix1V3gMSfHMlx7eWvWjs%252Fvisualization18.webp%3Falt%3Dmedia%26token%3D831213cf-52ec-48a5-8380-7892d2daa1e4&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=bddc804a&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>&#8220;Top values of user.name.keyword&#8221; should be changed as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FvmxrS9I1250fPXYbKkDe%252Fvisualization19.webp%3Falt%3Dmedia%26token%3Db28d5796-0471-483b-87a8-adadd00e993b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=17be9ce4&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F9R74kvU68NvqUQ7gOgj5%252Fvisualization17.webp%3Falt%3Dmedia%26token%3D67f61c24-6a92-48ce-9acc-048eb1c87f59&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=1f36903b&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>&#8220;Top values of host.hostname.keyword&#8221; should be changed as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FF2HVLWuCkePePSPhNWZ8%252Fvisualization20.webp%3Falt%3Dmedia%26token%3De42ae55b-a0b9-4e4c-8c94-479cca4d9cb9&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=5407f75d&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>The &#8220;Logon Type&#8221; can be added as follows (we will use the <code>winlog.logon.type.keyword<\/code> field).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FPdH47JPjX3FlxqS3LRzA%252Fvisualization21.webp%3Falt%3Dmedia%26token%3Dd8004562-37b0-49a6-9d0a-e5e8c0461b3e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=cc80c4e3&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FAPUvNFRdE309fFWKkUbh%252Fvisualization22.webp%3Falt%3Dmedia%26token%3D4b2c8599-2465-4733-a88b-de7c9c6cfb2f&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=76198a62&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>&#8220;Count of records&#8221; should be changed as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FtLfi3jLtIa8xHz4O7Fik%252Fvisualization23.webp%3Falt%3Dmedia%26token%3D9b65eaad-2c12-456d-a89a-74d4fafd0fee&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=12ae0622&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We can introduce result sorting as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FhgGgCdtlq3BcH8RoIoIG%252Fvisualization25.webp%3Falt%3Dmedia%26token%3D3ccdc892-3c73-40c7-9314-80de546daa57&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=61eed54b&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>All we have to do now is click on &#8220;Save and return&#8221;.<\/p>\n\n\n\n<p>The DESKTOP-DPOESND, WIN-OK9BH1BCKSD, and WIN-RMMGJA7T9TC usernames can be excluded by specifying additional filters as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FBnyjsjZ2du2ZDdaYVNpy%252Fvisualization24.webp%3Falt%3Dmedia%26token%3D49bc7f2d-dfb6-4645-ab87-22072f10ac07&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=c72335a5&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Computer accounts can be excluded by specifying the following KQL query and clicking on the &#8220;Update&#8221; button.Copy<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>NOT user.name: *$ AND winlog.channel.keyword: Security<\/code><\/pre>\n\n\n\n<p>The <code>AND winlog.channel.keyword: Security<\/code> part is to ensure that no unrelated logs are accounted for.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FWf5jDiHof2eqj6peSuy2%252Fvisualization34.webp%3Falt%3Dmedia%26token%3De5d1175e-78b7-4d96-9ca6-8eb0caa4cf1b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=a9a00a2e&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>This is our visualization after all the refinements we performed.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F4z2BqCSZPzMK6yw7DQYY%252Fvisualization35.webp%3Falt%3Dmedia%26token%3D0165f83a-44cb-44aa-8486-1547bf04152c&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=ebef1026&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Finally, let&#8217;s give our visualization a title by clicking on &#8220;No Title&#8221;.<\/p>\n\n\n\n<p>1) Navigate to http:\/\/[Target IP]:5601, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;. Browse the refined visualization we created or the &#8220;Failed logon attempts [All users]&#8221; visualization, if it is available, and enter the number of logins for the sql-svc1 account as your answer.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FyPSY0E0neXmBaWQBPhNm%252FScreenshot%2818%29.png%3Falt%3Dmedia%26token%3Dcb707030-8768-4eb7-a8a8-5834df7aea8b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=b878d770&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: 2<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"siem-visualization-example-2-failed-logon-attempts-disabled-users\">SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)<\/h2>\n\n\n\n<p>In this SIEM visualization example we want to create visualization to monitor failed login attempts against disabled users.<\/p>\n\n\n\n<p>We mention &#8220;failed&#8221; because it is not possible to log in with a disabled user, so it will never be successful even if the correct credentials are provided. In a scenario where the correct credentials are provided, the Windows logs will contain an additional SubStatus value of 0xC0000072, that indicates the reason of the failure.<\/p>\n\n\n\n<p>A filter option that allows us to filter the data before creating a graph. In this case our goal is to display failed logon attempts against disabled users only. We can use a filter to only consider event IDs that match <code>4625 \u2013 Failed logon attempt on a Windows system<\/code>, like we did in the previous visualization example. In this case though, we should also take into account the SubStatus (<code>winlog.event_data.SubStatus<\/code> field) that indicates, when set to 0xC0000072, that the failure is due to a logon with disabled user. The following image demonstrates how we can specify such a filter.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FDHb22fOpi94xRXmGnVQo%252Fvisualization30.webp%3Falt%3Dmedia%26token%3D748aa6ce-9e0e-4809-90fa-790ae42c768b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=c33dd5c5&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>1) Navigate to http:\/\/[Target IP]:5601, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;. Either create a new visualization or edit the &#8220;Failed logon attempts [Disabled user]&#8221; visualization, if it is available, so that it includes failed logon attempt data related to disabled users including the logon type. What is the logon type in the returned document?<\/p>\n\n\n\n<p>I filtered the data by event code 4625 and substatus 0xC0000072 to identify disabled users with failed logon attempts.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fg5FH3Gi9T1S4l3W9MMFu%252FScreenshot%2819%29.png%3Falt%3Dmedia%26token%3D2239ad31-e68e-466a-b28a-c498e92cd023&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=6a8c0a57&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>He requested the logon type in the question, so let\u2019s include it in the table.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FporJHhuxF5dqpijArfQI%252FScreenshot%2820%29.png%3Falt%3Dmedia%26token%3D48dcba20-340c-4f36-8dbb-89564003b8d1&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=149093dd&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: Interactive<\/p>\n\n\n\n<p>2) Navigate to http:\/\/[Target IP]:5601, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;. Either create a new visualization or edit the &#8220;Failed logon attempts [Admin users only]&#8221; visualization, if it is available, so that it includes failed logon attempt data where the username field contains the keyword &#8220;admin&#8221; anywhere within it. What should you specify after user.name: in the KQL query?<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FDcTizkDnnF5NEDyzZTGt%252FScreenshot%2823%29.png%3Falt%3Dmedia%26token%3D0ca44370-2bab-463e-8eb9-2264b69d495b&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=daf318a2&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: *admin*<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"siem-visualization-example-3-successful-rdp-logon-related-to-service-accounts\">SIEM Visualization Example 3: Successful RDP Logon Related To Service Accounts<\/h2>\n\n\n\n<p>In this SIEM visualization example, we aim to create a visualization to monitor successful RDP logons specifically related to service accounts. Service account credentials are never used for RDP logons in corporate\/real-world environments. We have been informed by the IT Operations department that all service accounts on the environment start with <code>svc-<\/code>.<\/p>\n\n\n\n<p>The motivation for this visualization stems from the fact that service accounts often possess exceptionally high privileges. We need to keep a close eye on how service accounts are used.<\/p>\n\n\n\n<p>Our visualization will be based on the following Windows event log.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=4624\" target=\"_blank\" rel=\"noopener\">4624: An account was successfully logged on<\/a><\/li>\n<\/ul>\n\n\n\n<p>1) Navigate to http:\/\/[Target IP]:5601, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;. Browse the visualization we created or the &#8220;RDP logon for service account&#8221; visualization, if it is available, and enter the IP of the machine that initiated the successful RDP logon using service account credentials as your answer.<\/p>\n\n\n\n<p>Certainly! Let\u2019s begin by filtering events with either event code 4624 or 4625, and then add the necessary values to the table<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F3QvPfqTQigyyq1coYdFT%252FScreenshot%2824%29.png%3Falt%3Dmedia%26token%3D2db9ad1e-ec0f-48cf-aa04-2bb4c6008146&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=3c88cdfe&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>We should filter by the logon type remote interactive. This type of logon session occurs when a user connects to a computer over a network using Remote Desktop Services (RDP).<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FBXkBSuj5iYX0nbYDFKeK%252FScreenshot%2825%29.png%3Falt%3Dmedia%26token%3Da9a5d6ac-2aca-480f-8482-56b317ad35a5&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=9140ea9f&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FYWwj94FxeE7J946XQVaq%252FScreenshot%2826%29.png%3Falt%3Dmedia%26token%3D1f8ce5da-3115-4e9c-95c9-20e1653cd5aa&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=39c8420f&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: 192.168.28.130<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"siem-visualization-example-4-users-added-or-removed-from-a-local-group-within-a-specific-timeframe\">SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)<\/h2>\n\n\n\n<p>In this SIEM visualization example, we aim to create a visualization to monitor user additions or removals from the local &#8220;Administrators&#8221; group from March 5th 2023 to date.<\/p>\n\n\n\n<p>Our visualization will be based on the following Windows event logs.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=4732\" target=\"_blank\" rel=\"noopener\">4732: A member was added to a security-enabled local group<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventid=4733\" target=\"_blank\" rel=\"noopener\">4733: A member was removed from a security-enabled local group<\/a><\/li>\n<\/ul>\n\n\n\n<p>A filter option that allows us to filter the data before creating a graph. In this case our goal is to display user additions or removals from the local &#8220;Administrators&#8221; group. We can use a filter to only consider event IDs that match <code>4732 \u2013 A member was added to a security-enabled local group<\/code> and <code>4733 \u2013 A member was removed from a security-enabled local group<\/code>. We can also use a filter to only consider 4732 and 4733 events where the local group is the &#8220;Administrators&#8221; one.<\/p>\n\n\n\n<p>For this visualization, let&#8217;s select the &#8220;Table&#8221; option. After selecting the &#8220;Table&#8221;, we can proceed to click on the &#8220;Rows&#8221; option. This will allow us to choose the specific data elements that we want to include in the table view.<\/p>\n\n\n\n<p>One final addition to the table is to include some more &#8220;Rows&#8221; settings to enhance our understanding.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Which user was added to or removed from the group? (<code>winlog.event_data.MemberSid.keyword<\/code> field)<\/li>\n\n\n\n<li>To which group was the addition or the removal performed? (double-checking that it is the &#8220;Administrators&#8221; one) (<code>group.name.keyword<\/code> field)<\/li>\n\n\n\n<li>Was the user added to or removed from the group? (<code>event.action.keyword<\/code> field)<\/li>\n\n\n\n<li>On which machine did the action occur? (<code>host.name.keyword<\/code> field)<\/li>\n<\/ul>\n\n\n\n<p>Click on &#8220;Save and return&#8221;, and you will observe that the new visualization is added to the dashboard.<\/p>\n\n\n\n<p>As discussed, we want to monitor user additions or removals from the local &#8220;Administrators&#8221; group <em>within a specific timeframe (March 5th 2023 to date)<\/em>.<\/p>\n\n\n\n<p>We can narrow the scope of our visualization as follows.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F0YGQ83wg5xC0ZCK60ORE%252Fvisualization47.png%3Falt%3Dmedia%26token%3D3067adea-1da5-4a27-b07f-117d2768d01c&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=d3bff923&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FITh9bgL2NURRyw6GhNPM%252Fvisualization48.webp%3Falt%3Dmedia%26token%3Df4095ead-55a8-4ba3-94aa-ba819a38ceaa&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=4e633ab5&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fy3leQ8h7onXuJCGKVtab%252Fvisualization50.webp%3Falt%3Dmedia%26token%3Db31809ac-d20b-468c-a961-33a202c0bcbe&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=8d31dba9&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>1) Navigate to http:\/\/[Target IP]:5601, click on the side navigation toggle, and click on &#8220;Dashboard&#8221;. Extend the visualization we created or the &#8220;User added or removed from a local group&#8221; visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X<\/p>\n\n\n\n<p>First, let\u2019s filter events with event codes <code>4732<\/code> and <code>4733<\/code> and narrow down the results by the group name <code>administrators<\/code>.<\/p>\n\n\n\n<p>To monitor users being added to or removed from a local group in Windows, you should look for specific event codes in the Security event log:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>4732<\/strong>: Indicates that a user was added to a security-enabled local group. The event will include details such as the name of the group and the account of the user who was added.<\/li>\n\n\n\n<li><strong>4733<\/strong>: Indicates that a user was removed from a security-enabled local group. This event will provide information about the group and the user who was removed.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FpMdqkRrQAENsT2W9o0BP%252FScreenshot%2828%29.png%3Falt%3Dmedia%26token%3Ded7eb609-a96d-45b0-b587-5f09f3675809&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=3a567adb&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then let&#8217;s add the necessary fields to the table:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>(<code>winlog.event_data.MemberSid.keyword<\/code> field)<\/li>\n\n\n\n<li>(<code>group.name.keyword<\/code> field)<\/li>\n\n\n\n<li>(<code>event.action.keyword<\/code> field)<\/li>\n\n\n\n<li>(<code>host.name.keyword<\/code> field)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FoHlztSEgl94wXLDwy9C1%252FScreenshot%2829%29.png%3Falt%3Dmedia%26token%3Dfba7a7e1-b364-4959-bc90-097d6fffeb49&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=5208ef00&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then let&#8217;s save and return.<\/p>\n\n\n\n<p>As discussed, we want to monitor user additions or removals from the local &#8220;Administrators&#8221; group <em>within a specific timeframe (March 5th 2023 to date)<\/em>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FlUN22B251a5lS20b88Gk%252FScreenshot%2830%29.png%3Falt%3Dmedia%26token%3D1cb2763d-1011-4244-a85c-32bbf0117b05&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=7d35d498&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/faresbltagy.gitbook.io\/footprintinglabs\/~gitbook\/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FelOHUzN1yAKgUXFY3c1M%252FScreenshot%2831%29.png%3Falt%3Dmedia%26token%3Ddc5cd8af-d56d-443f-ada3-f193f27a185e&amp;width=768&amp;dpr=4&amp;quality=100&amp;sign=b76bbd83&amp;sv=2\" alt=\"\"\/><\/figure>\n\n\n\n<p>Answer: 2023-03-05<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SIEM Definition &amp; SIEM Fundamentals What Is SIEM? Crucial within the realm of computer protection, Security Information and Event Management (SIEM) encompasses the utilization of software offerings and solutions that merge the management of security data with the supervision of security events. These instruments facilitate real-time evaluations of alerts related to security, which are produced&#8230;<\/p>\n","protected":false},"author":1,"featured_media":7466,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[29],"tags":[],"class_list":["post-7454","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-htb-notes-and-labs"],"_links":{"self":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts\/7454","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/comments?post=7454"}],"version-history":[{"count":3,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts\/7454\/revisions"}],"predecessor-version":[{"id":7563,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/posts\/7454\/revisions\/7563"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media\/7466"}],"wp:attachment":[{"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/media?parent=7454"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/categories?post=7454"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/scalemedia.co.za\/cybermedia\/wp-json\/wp\/v2\/tags?post=7454"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}