|
|
Web application for generalizing SIEM correlation rules
Matušicová, Viktória ; Mikulec, Marek (oponent) ; Safonov, Yehor (vedoucí práce)
The risk of attacks on companies by organized crime increases as technology advances. Attacks that focus on modifying data or gaining access to a company's network are constantly developed. The sophisticated nature of advanced threats distinguishes them from broad-based attacks that rely on automated scripts. However, organizations can mitigate this risk by utilizing a combination of appropriate tools. These include network flow monitoring, probes for detecting and preventing attacks, and Security Information and Event Management (SIEM) tools for correlating incidents and events. By leveraging these tools, suspicious behavior in the network can be identified, and measures can be taken to prevent and mitigate the impact of cyber attacks. The main contribution of this thesis is the development of a web application that serves as a general tool for managing correlation rules across various SIEM solutions. Through the use of this web application, publicly available Sigma rules can be managed and converted into target SIEM solutions. Users are given the ability to save these rules to their personal user section, alongside SIEM conversions and visual representations of technique coverage based on categorization by MITRE ATT@CK and LogSource of stored user rules. The theoretical part of the thesis comprises an analysis of security monitoring issues, an explanation of the benefits of the Sigma platform and an analysis of the web application. A use case model is defined, functional and non-functional requirements are specified to describe the resulting system. Additionally, the analysis of available tools for converting Sigma rules is performed. The practical portion of the thesis begins with a focus on the design of the web application, including the architecture of both the server-side and client-side components, as well as an explanation of the core functionalities. The resulting solution is then implemented, with detailed procedures for creating microservices, client-side development, and launching the web application. The final state of the project summarizes the result. The thesis concludes with a testing phase, the client side of the web application is evaluated through functional user interface screenshots. The thesis also includes a demonstration of the process for testing Sigma rules, which involves converting the rules using the web application and subsequently carrying out functional verification using the RSA NetWitness SIEM test solution.
|
host ::
RSS.