Directionality of SIEM Logs
So you've just picked up your first ticket in the SOC. What do you do now? I hope you're beginning by writing the 5-steps in the 5-step SOC Methodology.
Reason
Supporting Evidence
Analysis
Conclusion
Next Steps
For a reason, you put in the signature or a particular reason why this alarm was triggered.
Begin documenting all of the supporting evidence for the alarm, adding source and destination to their appropriate categories as you do so.
You are doing this because it's imperative to know the directionality of SIEM logs. The traffic comes from where, to where, over what port, and by what protocol.
Let me say that again: the traffic is coming from what IP, to what IP, over what port, and over what protocol?
When you get down, you can visualize the primary intent of the traffic. With networking, the destination port will be the open service that the source IP address is trying to contact from the source IP address. If no service is running at that port, or if it's not open, then the source IP address cannot connect to the destination IP address.
So, the next thing you want to see is if the connection was successful. Just because an attacker tried to connect to a service doesn't mean it was there and accepted the connection. It can get rejected by the firewall or the host itself if the port is closed, and there is usually evidence of that in the packets or flow data.
In our Cyber Range, you can see that the dionaea_action accepted the connection, resulting in a successful connection to the honeypot. This is a field generated by the honeypot in the log to let us know that the traffic was allowed into the host. So there's no host-based firewall preventing the traffic from entering and making a connection. There may be a similar log if a firewall in front of this honeypot says that the connection was allowed. If the connection was rejected, you can likely close the alert as benign or false positive. Benign meant the activity happened but couldn't hurt anything.
It's essential to know the directionality of traffic and where a connection started. If you see that the source port is 80 and the destination port is 3932, then it is likely to be return traffic, and you're not looking at the first packet in the sequence. You know this because port 80 is a lower port (typically below 1024), and these are reserved for host services.
Port 80 is typically a web server, so it only makes sense that this is a web server that is returning traffic and you need to then verify that. However, it is common sometimes to land on an event where this might be the particular packet that caused the alarm to trigger. Still, it wasn't the origin of the traffic, and the SIEM has got its directionality backward. Now you know that this traffic should be reversed and that the true source IP address is the one that has a high source port. You can typically close these out as false positives quickly after you understand the traffic flow and if it matches the intent of the reason it fired.
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.
Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.
Comments