Threat hunting with Graylog

Introduction

Graylog is a leading centralized log management solution which allows security teams to log, store and analyze huge amounts of data. One area where Graylog especially shines is in its speeds. In this article, we’ll discuss how Graylog can be used to analyze data in a hypothetical threat-hunting scenario.

Overview

We set up Graylog, and mongo-db on an Ubuntu 18.04 virtual machine. We won’t be discussing the initial set-up; however, if that is of interest, the procedure can be found here.

In our scenario, an internal rogue employee attacks one of our production servers to gain unauthorized access through brute-forcing our SSH and FTP services. Using this premise, we’ll discuss how Graylog stores the logs and displays them and how we can implement various in the open-source version during analysis.

scenario

We recently discovered a attempt on one of our company’s production servers. Unbeknownst to the attackers, we had our Graylog instance installed within the same server, which allowed to monitor their attempts at unauthorized access. The attackers were discovered to have performed numerous brute-force attacks against the FTP and SSH services on our server and had managed to gain

Read More: https://resources.infosecinstitute.com/topic/threat-hunting-with-graylog/