Open Source Threat Detection And Incident Response SIEM Tool

Alien Vault is an open source information security and event management tool for real-time Thread Detection. Alien Vault tool is used in most of the organization to monitor websites, databases, data centers, servers, desktops, applications, and other information devices for suspicious activities in the real-time environment. There are many other basic level threat monitoring tools available, also suggested by researcher of International Institute of Cyber Security.

  • SIEM is a combination of two different types of technologies:
    • SIM (Security Information Management) – Logs collection and report generation.
    • SEM (Security Event Manager) – Analysis of event in real time and correlation of event.
  • This application is having best features like Event Collection, Event Normalization, Event Correlation.
    • Event Collection: This option is used to collect the log’s of information devices like Servers, Firewalls, and Routers from our environment.
    • Event Normalization: This option will extract all the log data files and stores in folders which contains all the information like IP address, Hostname, usernames, ports, etc.
    • Event Correlation: This option is used to correlate all the commonly collected events, which we collected from environment.

Installation

  • Download OSSIM ISO, from here.
  • Here, choose OSSIM (Open Source Security Information Management) and press ENTER.
OSSIM Installation Screen 1
OSSIM Installation Screen 1
  • Choose the preferred Language and click on continue.
OSSIM Installation Screen 2
OSSIM Installation Screen 2
  • Choose the country and click on continue.
OSSIM Installation Screen 3
OSSIM Installation Screen 3
  • Choose keymap to use and click on continue.
OSSIM Installation Screen 4
OSSIM Installation Screen 4
  • Assign IP address to this machine.
 OSSIM Installation Screen 5
OSSIM Installation Screen 5
  • Set a password for root. After that, it will start installing.
OSSIM Installation Screen 6
OSSIM Installation Screen 6
  • If successfully installed we will be able to see this screen in our machine.
OSSIM Installation Screen 7
OSSIM Installation Screen 7
  • Here, type login as root and password. Then open this URL in the browser https://<IP address>/ for web interface.
OSSIM login screen
OSSIM login screen
  • Now, enter the few details to create an account to access the alien vault products.
OSSIM login screen
OSSIM login screen
  • Next, type username and password to log in, then we will be able to view this.
OSSIM welcome page
OSSIM welcome page
  • Follows steps to Monitor Network, Discover Assets, and Collect Logs & Monitor Assets. Click on the start option to start the alien vault OSSIM.
OSSIM wizard
OSSIM wizard
  • Follow steps as mentioned in screen and click on sign up now to create an account for OTX (Open Threat Exchange) and login to view all the activities in our LAN (Local Area Network).
  • Here, we can view all the activities.

Conclusion

This tool can be used in your organization to monitor all websites, databases, data centers, servers, desktops, applications, and other information devices for Threat Detection And Incident Response in the real-time environment.