Department of Computer Science

Cyber security
Semester project
Class BSIT-7A

Submitted by Submitted TO
Muhammad Usama Sir Zunnurain Hussain
Contents
Introduction:...............................................................................................................................................2
Organization needs and Functionalities of SIEM Solution.........................................................................2
SIEM Solution..............................................................................................................................................2
Introduction to event log analyzer SIEM....................................................................................................2
Features of Event Log Analyzer SIEM.........................................................................................................2
Log data aggregation..................................................................................................................................3
Data correlation and alerting.....................................................................................................................3
Log analysis and dashboard........................................................................................................................3
Compliance report......................................................................................................................................3
User monitoring..........................................................................................................................................4
Collects and processes events and flows...................................................................................................4
Collecton of vulnerability Data.................................................................................................................6
Logical Components and data flow in event log analyzer......................................................................7
Architecture and data flow diagram of event log analyzer...........................................................................9
Offenses in Event log analyzer................................................................................................................10
Types of offenses......................................................................................................................................10
SIEM Dashboard........................................................................................................................................10
Customize the dashboard.........................................................................................................................11
Default and customize Dashboards..........................................................................................................11
Event Log Analyzer Tabs...........................................................................................................................11
Conclusion.................................................................................................................................................12
References................................................................................................................................................12

Introduction:
The organization is facing serious malware attacks. To deal with these malwares we need a SIEM
solution that help us to detect the malware activities. SIEM software works by collecting log and event
data generated by an organizations applications, security devices and host systems and bringing it
together into a single centralized platform. ... In this way it detects threats and creates security alerts.

Organization needs and Functionalities of SIEM Solution

 Data collection.
 Data process.
  Data correlation.
 Dashboard.
 Offenses and severity levels
 Search and filters.
 Rules
 Reporting

SIEM Solution
We need a SIEM solution that fulfill the above mentioned needs. There are many pros and cons of every
SIEM solution but according to the present condition of the company Event log analyzer is best.

Introduction to event log analyzer SIEM

An event log analyzer, also known as a security information and event management (SIEM)
system, is a tool used to monitor and analyze log data generated by devices on a network.
These logs can provide valuable insights into the security and health of the network, as well as
help identify potential threats and vulnerabilities.
A SIEM system typically includes three main components:
Data collection: The SIEM system collects log data from various devices on the network, such as
servers, workstations, and routers.
Data processing: The collected log data is processed and analyzed by the SIEM system to
identify patterns, trends, and anomalies.
Reporting and alerting: The SIEM system generates reports and alerts based on the processed
log data, providing a comprehensive overview of the security and health of the network

Features of Event Log Analyzer SIEM

 Log data aggregation

 Log forensics
 Event correlation and alerting
 File integrity and monitoring
 Log analysis and dashboard
 User monitoring
 Object access Auditing
 Compliance report
Log data aggregation
Event Log Analyzer consolidates log data from a wide range of sources (Windows frameworks,
Unix/Linux frameworks, applications, databases, switches, routers, and other syslog gadgets) into one
central location. The Universal Log Parsing and Indexing (ULPI) technology allows Event Log Analyzer
to translate any log data, regardless of the source or log format.

Data correlation and alerting

Event Log Analyzer is designed to help network administrators proactively monitor their networks for
potential threats. It uses rules and scripts configured to assess any changes in events or network activity and
can send out real-time notifications when a threshold is exceeded or an anomaly is detected. It comes with a set
of pre-defined correlation rules related to user access, user logins, file integrity, user creation, group policies,
and software installations.

Log analysis and dashboard

Event Log Analyzer performs log analysis in real-time and displays the analyzed log data into easy to
understand charts, graphs and reports. Users can easily drill down through log data shown on the dashboard to
get more insights and do a root cause analysis within minutes. The solution also provides real-time alerts based
on the latest threat intelligence from STIX/TAXII threat feeds.

Compliance report
Compliance is the core of SIEM and with Event Log Analyzer organizations can meet regulatory compliance
requirements by monitoring and analyzing log data from all the network devices and applications. Event Log
Analyzer allows you to generate pre-defined/canned compliance reports such as PCI
DSS, FISMA, GLBA, SOX, HIPAA, etc.

User monitoring
Exhaustive reports are provided for user monitoring by Event Log Analyzer. This enables tracking suspicious
behavior of users including privileged administrative users.

You get precise information of user access such as which user performed the action, what was the result of the
action, on which server it happened and track down the user workstation from where the action was triggered.

Collects and processes events and flows

The Event Log Analyzer collects, analyzes, searches, correlates, reports, and stores logs from a
centralized platform. It then converts that data into easy to understand reports and graphs. In case that
any abnormal behavior is detected, the software sends security alerts in real-time via email or SMS.

When you start the Event Log Analyzer then you will see the display as shown in figure
Collecton of vulnerability Data
At Dashboard page click on the settings the next page appears, then click on “Applications”. The Below
page appears
There are many options available on the top as shown in below image
Click on the “vulnerability scanner”.
 Logical Components and data flow in event log analyzer
Event Log Analyzer is a log management and IT compliance solution for your enterprise. It's web-based, and it
employs both agentless and agent-based mechanisms to collect logs from log sources across your network
while also providing you with in-depth reports, alerts, and security analyses.

The main modules Event Log Analyzer has to offer:

 Parsing engine: Filters logs which aren't needed—as configured by the administrator—and normalizes raw
logs into a standard format.
 Central database: Stores raw and normalized logs from all devices and applications across your network as
well as report data and global threat data. The default database that comes installed with the product is
PostgreSQL. Alternatively, users have the option of migrating to Microsoft SQL Server or MySQL databases.
 Report builder: Processes the raw and normalized logs to build over a thousand predefined reports—
including compliance reports—and custom reports as well. EventLog Analyzer generates and sends out
scheduled reports, and it exports reports when needed.
 Alerts and incident management: Sends out email and SMS notifications based on configured alert profiles;
assigns incidents to designated technicians, and stores the statuses and related information for every incident.
 Automated Workflows: Automates incident response through predefined workflows that set off when alerts
are triggered.
 Log search engine: Searches through millions of logs in seconds. The search engine is based on Elasticsearch.
 File integrity monitoring: Uses file server logs to monitor all activity occurring in critical files and folders
and generates detailed file integrity reports.
 Correlation engine: Correlates logs from heterogeneous sources to identify potential attacks, and generates
in-depth aggregated incident reports and security alerts.
 Threat intelligence: Regularly retrieves and stores threat data from popular STIX/TAXII-based threat feeds as
well as other open source feeds. The module compares this data with network events and then generates threat
alerts when malicious entities are discovered interacting with your network.
Architecture and data flow diagram of event log analyzer
Architecture and data flow diagram of event log analyzer
Offenses in Event log analyzer
When the events and flows meet the test criteria that is defined in the rules,  an offense is created to show
that a security attack or policy breach is suspected. But knowing that an offense occurred is only the
first step; identifying how it happened, where it happened, and who did it requires some investigation
The Alerts tab lists details of all alerts triggered (if you have not set up any alert profiles, the tab directs you to
do so). You can view the timestamp of the alert, the device which triggered it, the severity, the status of the
alert, and the message.

Click on the alerts tab

And click click on the add alert profiler

Types of offenses
Offenses are generally graded into four categories:

 Felonies
 Misdemeanors
 Felony-misdemeanors
 Infractions.

SIEM Dashboard
A Security Information and Event Management (SIEM) dashboard is a user interface that is used to
monitor the security of an organization's networks and systems. It displays real-time data about security
events, such as system logs, network traffic, and security alerts, in a visual format. This dashboard
typically includes charts, graphs, and other visualizations to provide an overview of the organization's
security posture, as well as detailed information about specific security events. It may also include tools
for analyzing and responding to security incidents. The objective of the SIEM dashboard is to help
organizations detect and respond to security threats quickly and effectively.
Customize the dashboard
To customize the dashboard in Event Log Analyzer, you can follow these steps:

 Log in to the Event Log Analyzer web interface as an administrator.

 Click on the "Dashboard" tab in the top menu.
 Click on the "Customize Dashboard" button in the top right corner of the dashboard.
 In the "Customize Dashboard" window, you can select which widgets to display on the
dashboard and how they should be organized. You can also customize the appearance and
behavior of each widget by clicking on the "Configure" button next to it.
 When you are finished customizing the dashboard, click on the "Save" button to apply your
changes.

Note that the specific options available for customizing the dashboard may vary depending on the
version of Event Log Analyzer that you are using. Consult the Event Log Analyzer documentation for
more information

Default and customize Dashboards

A default dashboard is one that is provided by default by the security information and event
management (SIEM) system. It typically includes a set of pre-configured widgets that display data about
security events, such as system logs, network traffic, and security alerts.

A custom dashboard is one that has been customized by an administrator to meet the specific needs of
the organization. It may include different widgets than the default dashboard, or the same widgets may
be configured to display different data or to behave differently. Custom dashboards can be created from
scratch or based on an existing default dashboard.

The main difference between default and custom dashboards is that default dashboards are intended to
provide a general overview of the organization's security posture, while custom dashboards can be
tailored to focus on specific aspects of the organization's security or to meet the needs of specific users
or groups. Custom dashboards can provide a more targeted and relevant view of security data, making it
easier for administrators to identify and respond to security threats.

Event Log Analyzer Tabs

Event Log Analyzer is a security information and event management (SIEM) tool that allows
organizations to monitor and analyze security events from various sources, such as system logs, network
traffic, and security alerts. It provides a graphical user interface (GUI) with several tabs that allow
administrators to access different features and functions of the software. Here is a list of some of the
tabs that may be available in Event Log Analyzer:

 Dashboard: This tab displays a customizable dashboard with real-time data about security
events, such as charts, graphs, and other visualizations. The dashboard provides a high-level
view of the organization's security posture and allows administrators to quickly identify
potential threats.
  Events: This tab displays a list of security events that have been collected by the SIEM system.
Administrators can use the search and filter functions to locate specific events, and can view
detailed information about each event by clicking on it.
 Reports: This tab allows administrators to generate reports about security events based on
specific criteria, such as type of event, time period, and data source. Reports can be saved and
scheduled to run at regular intervals.
 Alerts: This tab displays a list of security alerts that have been generated by the SIEM system
based on predefined conditions. Administrators can view detailed information about each alert
and take appropriate action to mitigate the threat.
 Configuration: This tab allows administrators to configure various aspects of the SIEM system,
such as data sources, alert rules, and user roles.

Note that the specific tabs available in Event Log Analyzer may vary depending on the version of the
software and the specific features and modules that have been purchased. Consult the Event Log
Analyzer documentation for more information.

Conclusion
Event Log Analyzer is a security information and event management (SIEM) tool that allows
organizations to monitor and analyze security events from various sources, such as system logs, network
traffic, and security alerts. It provides a graphical user interface (GUI) with several tabs that allow
administrators to access different features and functions of the software, such as a customizable
dashboard, event search and filtering, report generation, and alert management. Event Log Analyzer can
help organizations detect and respond to security threats in a timely and effective manner, and can
provide valuable insights into the security posture of the organization. Overall, Event Log Analyzer is a
powerful and feature-rich SIEM tool that can be an important part of an organization's security strategy.

References
htt ps://www.manageengine.com/products/eventlog/help/StandaloneManagedServer-
UserGuide/EventLogAnalyzerReports/create-custom-reports.html#create

htt ps://manualzz.com/doc/30848748/manageengine-eventlog-analyzer----help-
documentati on

https://www.manageengine.com/products/eventlog/download.html