What SIEM do you use?

Hi There!

As someone moving towards the Security field, I would like to start learning to use and configure an SIEM.

I’ve got to the point of picking one.

As this is a home lab environment purely to learn, I’d like to keep the cost as low as possible (free if possible).
Any recommendations would be great!

Beyond this, what SIEM do you use? Why?

Is this your most preferred?
What do you prefer?

I look forward to reading all your responses and discussing the pros and cons to each!

1 Like

Not a SIEM as such but have you taken a look into Security Onion?

1 Like

Echo @CMD_David’s thoughts completely.

Security Onion is great for learning how SOC tooling works and allows both beginner and advanced uses without feeling ‘too hard’ to dip your toe into.

I use Sec Onion at home, professionaly, i’ve used a wide range, i’d say my favorite two are Splunk and Azure Sentinel.

I prefer Splunk do it’s ability to take bulk data sets and create high quality, granular use cases that actually have high accuracy. All SIEMs ingest tons of data but few and built to actually take full advantage of that.

Splunk is expensive and does require in-depth knowledge to be useful. As does Sentinel when using KQL. But i think Azure Sentinel as being part of the Microsoft family integrates way cleaner to a O365 enviroment for exmaple than Splunk. It’s not impossible with Splunk just requires great effort.

1 Like

Graylog free is also one to consider. As you become familiar with the concepts of log selection concerning use cases and define those use cases by creating searches and rules, you are on your way to understanding how to use SIEM well.

5 Likes

What is your advice for a free SIEM or SIEM like product? Lets say for home/homelab use?

I usually use Graylog (I work for them), but I played with ELK, SumoLogic and Splunk.

In terms of home lab, it is good to use an open-source version. More advanced job seekers can try Security Onion. It is a full blown SIEM with a wide range of tools. It needs a lot of hardware requirements but from a learning perspective it is nice.

Why can you use a SIEM at home?
If you look at open job descriptions at least 40% of jobs require SIEM knowledge. Splunk pays the the most, but it is the most expensive knowledge. A cert is around $3000, only the core is around $100.
Many SIEMs are based on Elastic. It does not matter much if you learn Graylog, Elastic(ELK), OpenSearch(Amazon) or a similar SIEM because knowledge is transferable.
More advanced API calls in ES Query work an all of those programs. Often the query language is Lucene or something very similar.

If you look into the job market, there are many jobs beside SOC Analyst roles. SIEM Content Engineer/Developer is a cool role but less known.
Support Engineer for a SIEM vendor is a great option, too as well as SIEM Engineers.

3 Likes

I have used Elastic, Graylog, AlienVault, LogRhythm, and Splunk. I have developed content for both Elastic and Splunk. Those two are my preferred. I find SOC Content Development is a lot easier for Splunk. It is very easy to turn an idea into reality. The Splunk Query Language is moe than just filtering but actually allows for some advanced commands that I need to use the Elasticsearch API for when working on data in an ELK stack.

We take an odd approach at one of my organizations.
Large Volume + Low Usage = ELK Stack
Frequent Usage OR Automated Logic / Analytics = Splunk
We take the high usage data and put it in Splunk. Sometimes these are large volumes but often we can summarize and perform heavy pruning without losing data quality. Then our large volume, low usage (data archiving type stuff) we place in an OpenSource Elastic Stack. When needed to support an investigation, a few on the team can export data to json when needed and quickly import into Splunk to support the whole SOC team.

This isn’t without sacrifices. Learning two systems, tool fatigue, and additional management overhead. But it saves a lot in licensing and allows us to use Splunk which our team considered one of our most value-adding tools.

4 Likes

+1 for elastic security in the homelab. Elastic is becoming an incredibly common TSDB for “modern” applications, and the felxibility of the platform is extensive. Its an excellent dip into real world blue team work.

Elastic has a great community backing, and there are so many ways you can transition the experience gained to a work setting. Several SIEMs use it in the background. Despite the praise there is definitely a learning curve, so I wouldn’t yet recommend ES for a young security team. Flexibility typically translates to time sink, and usually a younger organization benefits more from processes than “OP tech”.

Whatever you choose, the important thing is that you have fun learning :slightly_smiling_face:. Sometimes it helps us professionally, and sometimes we just need a nerdy hole for escapism. Consider what you want to learn, and choose a platform that helps you hit your goals.

My company is using IBM QRadar, and I really like it. It offers free training on its learning academy website.

I started with HP Arcsight and then moved on to AlienVault, Logrhythm, Splunk and others. I’d say start with any of them (Splunk, AlienVault, OSSIM, Greylog). It is less about the solution and more about understanding the internal working of it, how it integrates with other log sources and what it offers in terms of alarms, correlations etc.

Depends of the organization size: smaller ones probably are fine with a EDR/XDR. Larger one probably need more completed SIEM. Personally I worked with ELK and I loved it.

Anyway: anyone has experience with Google Chronicle?