.. _monitoringbluesiem:

5. Try out SIEM and dashboarding (i.e Elastic Stack)
========================================================

Introduction
^^^^^^^^^^^^^^

| For the processes and protocols of an organisation, having a SIEM is one of the starting points to ensure good information security. Not only does this tool usually describe the ``playbook`` but it also entails what steps need to be taken in order to safeguard the security of an enterprise. 

Execution
^^^^^^^^^^

| In my own instance of Security Onion, a SIEM tool called TheHive is included - it is possible to escalate a new alert from the Security Onion dashboard - resulting in the creation of a case in The Hive. Below you will find an example

.. image:: https://i.imgur.com/ALTOv3i.png

The Hive
^^^^^^^^^^

| I rarely use The Hive in my own private lab because it is tough to maintain this and have a good overview of the baseline of the security in a network. Here are my current cases:

.. image:: https://i.imgur.com/fu5VX4v.png

| Though in our group assignment, which also revolves around blue-teaming activities, we do have cases - some of these contain partials to certain flags and whatnot. 

.. image:: https://i.imgur.com/9mUUBRR.png


Kibana
^^^^^^^

| For our group assigment, prior to my discovery to the Wazuh event tab, I was convinced we needed to create our own dashboard in Kibana; and that's what I did - this is based on KQL (Kibana Query Language). I took Suricata as an example 

.. image:: https://i.imgur.com/nx1sWl0.png

| And here's the default Security Onion Kibana dashboard, as you can see, it has certain use-cases. 

.. image:: https://i.imgur.com/7tKZUtQ.png