Getting Started with Logz.io Cloud SIEM

The shortcoming of traditional SIEM implementations can be traced back to big data analytics challenges.

Fast analysis requires centralizing huge amounts of security event data in one place. As a result, many strained SIEM deployments can feel heavy, require hours of configuration, and return slow queries.

Logz.io Cloud SIEM was designed as a scalable, low-maintenance, and reliable alternative. As a result, getting started isn’t particularly hard.

Here are a few ways Cloud SIEM simplifies and accelerates security event management and investigation:

Highly available, fast queries, zero maintenance: Logz.io’s cloud-native architecture is purpose-built to handle huge and fluctuating data volumes – without requiring any maintenance to manage or upkeep the data infrastructure.

Prebuilt security rules and dashboards based on popular security technologies: 600+ out-of-the-box security rules to automatically highlight critical security events, and 100+ out-of-the-box dashboards to visualize and investigate that data.

Automated threat detection: Logz.io cross-references incoming security data against public and private threat feeds to surface IOCs.

On-demand security analysts: Need help adding new integrations, building custom security rules/detections, or building new dashboards? Leverage Logz.io’s Security Analysts to bolster your SIEM practice – available for every customer, 24/7.

The fastest and easiest way to realize these benefits is by starting a Cloud SIEM free trial. Below are the steps to get started.

Set up your account and start sending data

To begin, click on ‘Free Trial’ on the Logz.io homepage and fill out a quick form.

From there, you’ll see the option to send your data, or to explore a Logz.io demo environment. Choose the former, unless you want to see what Logz.io looks like before you begin. This will kick off the flow needed to configure an integration that sends logs from your security data sources to Logz.io for storage and investigation.

Now you’ll have the option to configure an observability integration, but we want a security integration, so we’ll hit ‘Browse integrations’ towards the bottom of the screen.

Switch over to the ‘Cloud SIEM’ tab to view Logz.io’s integrations with popular security event data sources, like Palo Alto Networks, Crowdstrike, AWS WAF, Microsoft Active Directory, and many others.

Choose a security event data source to begin configuring the integration.

By hitting ‘CloudTrail,’ for example, we can see instructions to configure the integration. The steps are to collect CloudTrail events in an S3 bucket, where Logz.io can pull them into our service for storage and analysis.

The integrations for Crowdstrike uses the Crowdstrike collector and Fluentd to collect and ship security events to Logz.io.

Security Event Rules and Visualization Dashboards

As the CloudTrail and Crowdstrike data is ingested to Logz.io’s data processing pipeline, it is automatically parsed with prebuilt parsing rules – making the data easy to search, visualize, and understand. Logz.io implements prebuilt parsing for every integration, and our security analysts can build additional parsing for data sources not currently supported.

Once the data is in Logz.io, navigate to the Cloud SIEM tab to begin analyzing your data. You’ll see a prebuilt home dashboard that provides a summary of your threat landscape across geographies, devices, event types, and other dimensions. From this unified view, it’s easy to begin drilling into specific threats to investigate suspicious activity.

The events surfaced in this dashboard were automatically highlighted by prebuilt rules. Logz.io provides 600+ prebuilt rules that surface the most critical events in your security data. You can build new rules yourself, or ask our security analysts for assistance.

Below, we see the prebuilt rules for CloudTrail, it looks like there are 71 of them. When these rules query data that matches the rule conditions, the rule will trigger a security event. If needed, users can configure the event to trigger an alert notification to popular endpoints like Microsoft Teams, Slack, Gmail, and others.

Logz.io also offers out-of-the-box dashboards to monitor the events triggered by the rules. Below, we can monitor user actions within our environment in the prebuilt CloudTrail dashboard, and slice and dice the data to explore the data in different dimensions.

Like with the rules, if you don’t find what you’re looking for, contact us to get in touch with a security analyst who can assist.

Enrich Incoming Data with Threat Intelligence to Surface IOCs

In addition to enriching security data with security rules and visualizations, Logz.io also enriches your data with threat intelligence. As security data comes streaming into the platform, Logz.io automatically cross references the data with public and/or private threat intelligence feeds to surface IOCs for investigation.

The Threat Intelligence Dashboard below consolidates those IOCs for investigation.

And as we scroll down in the dashboards, we can see specific threat data and click on IOCs like attacker IPs to investigate threats.

Below, see the threat intelligence feeds used in this SIEM demo implementation. The information from these feeds are correlating against incoming data to highlight the high priority threat indicators.

Track Remediation for Security Events

As rules are triggered and generate security events, use Logz.io’s Event Manager to triage and track remediation progress. Here, team leads can monitor and coordinate security remediation efforts to make sure nothing falls through the cracks.

Quickly Overcome Technical Roadblocks

At any time, you can always contact us for best practices on data shipping, creating dashboards, creating rules, and how to overcome any technical roadblock.