HomeBlogSIEM & Log Management with Humio (Now LogScale)

SIEM & Log Management with Humio (Now LogScale)

June 29, 2022

Log management refers to cataloging and monitoring network activity, identifying system events, and storing user requests across a network. A variety of machines, systems, and software can be monitored by a log management platform. Examples include servers, workstations, routers, network traffic, logins, and application operations. This mass of ingested data is aggregated, parsed, and analyzed so that it is more approachable and useful for security professionals.

Log management platforms also create streamlined procedures to monitor events and processes while alerting on whatever you are interested in seeing. Additionally, it provides more visibility into the environment and ensures compliance with best practices and important software updates. Log management also protects from over-reliance on institutional knowledge bottlenecks as important information and alerts can be radiated to all employees instead of a select knowledgeable few. Alerts and dashboards can be tailored to current CVEs, aggregate specific event data, and filter through information that is not relevant to the task at hand.

Humio is a log management platform that allows for robust insight into an environment, coupled with a large degree of flexibility. It is an extremely beneficial tool to use and one that I’ve used to great effect in my professional positions and personal environments. It allows for more targeted threat hunting, data-driven insights, and real-time analysis of data. In the event of security incidents, Humio offers the capability to quickly pinpoint the point of entry, pivot points, and mitigate the root cause of the breach. Another key benefit of a log management platform such as Humio is its ability to ingest data from multiple ETL sources. These sources can include firewalls, network taps, email servers, antiviruses, and MFA software.

The lifeblood of utilizing Humio and similar platforms is its query language, as it allows you to interact with your data. The language is similar to queries in a SQL database; you specify items to include or exclude from the repository you are searching from. You can also chain commands together, reminiscent of the command pipes mechanism in Unix and Linux shells. One difference from the SQL query language is that you can perform built-in aggregation and calculation functions within the query itself. For example, you can pipe your data through the groupBy() function to group your data by a specific field. You are also able to set the time frame the query will search within, from presets like the last 4 hours to specific time ranges.

Queries can be saved into Widgets which store the query and its results in an easily viewable format. These widgets can then be added to dashboards that contain collections of widgets. This functionality enables you to review useful queries daily, create custom alerts, and visualize the same data using different metrics.

I use Humio to monitor my environment. Below are some of the widgets that I created for my monitoring dashboard:

Widget showing all requests that returned a 200 status code (IPs removed for privacy)
Widget showing all visits to my site displayed on a world map
Pie chart widget displaying the breakdown of status codes received by site visitors
Widget tracking spikes in visits organized by IPs

I encourage evaluating the use of a log management solution due to the improvement in visibility and security they provide for your environment.

Tags:,

Related Posts