CybersecurityFeatured

SIEM Open Source — Blue Team Log Supervision

Deployed an OSSIM/AlienVault SIEM integrating 5+ log sources and 15+ custom correlation rules, validated by purple team attack simulations (Hydra, Nmap, SQLmap).

2025
Completed (November 2025)
1 member

Technologies Used

OSSIM/AlienVaultHIDSSyslogApacheSSHSIEMBlue TeamPurple TeamHydraNmapSQLmap

Deployment and configuration of an open-source SIEM (Security Information and Event Management) solution based on OSSIM/AlienVault for centralized log supervision and threat detection.

🎯 Project Overview

Full SIEM lifecycle: architecture design, log source integration, correlation rule writing, dashboard creation, and detection validation through simulated attacks (purple team approach).

🔌 Log Source Integration (5+ sources)

  • Apache — Web server access and error logs
  • SSH — Authentication events (success/failure, brute-force)
  • Syslog — System events from Linux hosts
  • HIDS Agents — Host Intrusion Detection System (file integrity, process monitoring)
  • Network devices — Firewall and switch logs

📐 Correlation Rules (15+)

| Rule | Attack Pattern Detected | |------|------------------------| | SSH Brute Force | >10 failed SSH authentications in 60 seconds | | Port Scan | Nmap SYN scan signature across 20+ ports | | Privilege Escalation | sudo/su events following failed logins | | Lateral Movement | Unusual SSH connections between internal hosts | | Web Exploitation | SQL injection patterns in Apache access logs | | HIDS Alert | Unexpected file modifications in /etc or /bin |

🟣 Purple Team Validation

Simulated attacks to validate detection coverage:

  • Hydra SSH brute-force → validated SSH Brute Force rule
  • Nmap full-port scan → validated Port Scan rule
  • Manual privilege escalation (sudo -l, SUID exploitation) → validated Priv Esc rule
  • SQLmap against test web app → validated Web Exploitation rule

Post-exploitation analysis: log review, rule refinement, signature improvement.

📊 Dashboards & Alerting

  • Real-time dashboards for event volume, top sources, and alert severity
  • Automated email/SMS alerts on CRITICAL rules
  • Incident timeline visualization for forensic analysis

Challenges

  • Normalizing logs from 5+ heterogeneous sources into a unified SIEM format
  • Writing correlation rules with low false positive rates for common attack patterns
  • Validating detection coverage without a dedicated red team
  • Tuning alert thresholds to balance sensitivity and alert fatigue

Solutions

  • Used OSSIM built-in log parsers and custom syslog forwarding rules for normalization
  • Wrote time-windowed correlation rules (e.g., >10 events in 60s) with source/destination filters
  • Applied purple team methodology: simulated attacks to verify rule triggers
  • Iteratively adjusted thresholds based on baseline traffic and attack simulation results

Outcomes

  • SIEM with 5+ integrated log sources covering SSH, web, system, network, and HIDS
  • 15+ custom correlation rules validated against real attack simulations
  • Real-time dashboards and automated alerting on critical events
  • Purple team validation confirming detection of brute-force, port scans, privesc, and SQLi
  • Documented incident response process from alert trigger to forensic analysis