WEBVTT 0:00:04.340000 --> 0:00:06.520000 Introduction to SEAM. 0:00:06.520000 --> 0:00:09.740000 In this video, we're going to get, as the title suggests, an introduction 0:00:09.740000 --> 0:00:11.920000 to SEAM systems. 0:00:11.920000 --> 0:00:17.220000 The idea here is really to understand what a SEAM is and what it's used 0:00:17.220000 --> 0:00:22.720000 for, but very specifically geared towards instant response because, of 0:00:22.720000 --> 0:00:27.480000 course, that's the focus of this course, as well as this learning path. 0:00:27.480000 --> 0:00:30.280000 But I think it's very important to revisit it. 0:00:30.280000 --> 0:00:33.900000 Now, I know within this learning path I've introduced you multiple times 0:00:33.900000 --> 0:00:37.740000 to SEAMs, but you're going to see that this time there's going to be a 0:00:37.740000 --> 0:00:42.100000 little bit of a change here in that we're now going to get a proper view 0:00:42.100000 --> 0:00:46.840000 of what's out there in terms of various SEAM solutions, but more importantly, 0:00:46.840000 --> 0:00:54.060000 understand how this relates or ties in very closely to what we were doing 0:00:54.060000 --> 0:00:54.960000 in the previous video. 0:00:54.960000 --> 0:00:58.820000 So, without further ado, what is a SEAM? 0:00:58.820000 --> 0:01:04.260000 A SEAM is an abbreviation for security information and event management. 0:01:04.260000 --> 0:01:09.640000 It is a centralized platform or solution or system, as it were, that provides 0:01:09.640000 --> 0:01:15.480000 real-time visibility, correlation, detection and alerting based on log 0:01:15.480000 --> 0:01:20.320000 and event data collected across an organization's digital infrastructure. 0:01:20.320000 --> 0:01:25.500000 Now, as the name suggests, a SEAM combines two core capabilities. 0:01:25.500000 --> 0:01:29.560000 If this is your first time ever, you know, thinking to yourself, well, 0:01:29.560000 --> 0:01:33.860000 where exactly does this abbreviation come from, apart from the fact that, 0:01:33.860000 --> 0:01:39.140000 you know, it has its fully fleshed out form as security information and 0:01:39.140000 --> 0:01:50.480000 event management, you can see from, you know, if you're looking at the 0:01:50.480000 --> 0:01:53.720000 same capability, and event management is another capability, so a SEAM 0:01:53.720000 --> 0:01:58.200000 is really a system or platform that combines these two core capabilities. 0:01:58.200000 --> 0:02:02.540000 So, that then begs the question, what is security information management 0:02:02.540000 --> 0:02:05.500000 or SIM as it's abbreviated as? 0:02:05.500000 --> 0:02:11.280000 Well, that really simply is historical data analysis and log management, 0:02:11.280000 --> 0:02:13.820000 right, in terms of capability. 0:02:13.820000 --> 0:02:19.260000 The other aspect or the other part of SEAM, which is, you know, event 0:02:19.260000 --> 0:02:23.820000 management, in this particular case, more specifically is security event 0:02:23.820000 --> 0:02:27.860000 management, which is abbreviated as SEM as it were. 0:02:27.860000 --> 0:02:34.380000 So, what happens when you combine S with IM or EM, so you get SEAM, hopefully 0:02:34.380000 --> 0:02:36.180000 it's starting to make sense now. 0:02:36.180000 --> 0:02:42.900000 In any case, SEM or security event management is, you know, fundamentally 0:02:42.900000 --> 0:02:46.140000 real-time monitoring and alerting capabilities. 0:02:46.140000 --> 0:02:49.960000 So, we get SEAM from SIM plus SEM. 0:02:49.960000 --> 0:02:52.240000 That's really what's going on here. 0:02:52.240000 --> 0:02:55.340000 And not a lot of people actually understand this because these two core 0:02:55.340000 --> 0:03:01.740000 capabilities are sort of, you know, were independent prior to this combination, 0:03:01.740000 --> 0:03:07.660000 but the combination of SIM and SEM as capabilities is what gives us a 0:03:07.660000 --> 0:03:11.600000 SEAM, so security information and event management. 0:03:11.600000 --> 0:03:18.180000 So, based on that, you know, based on those two core capabilities, it, 0:03:18.180000 --> 0:03:22.740000 you know, it's fairly obvious that SEAM solutions are, or should be able 0:03:22.740000 --> 0:03:29.280000 to analyze current or historical events and log data, perform event correlation 0:03:29.280000 --> 0:03:31.480000 and threat monitoring. 0:03:31.480000 --> 0:03:37.360000 So, that specifically deals with SEM, so security event management. 0:03:37.360000 --> 0:03:44.820000 Now, sort of addressing SEM, a SEAM should be able to retrieve and index 0:03:44.820000 --> 0:03:49.800000 log data from disparate sources for analysis and reports. 0:03:49.800000 --> 0:03:57.560000 So, from a security perspective, this is what a SEAM does in relation 0:03:57.560000 --> 0:04:04.480000 specifically to the SEM, and the reason why I've sort of outlined it or 0:04:04.480000 --> 0:04:09.600000 stated this, you know, in this current format is to sort of give you a 0:04:09.600000 --> 0:04:14.660000 better idea of what you would classify as a SEAM as opposed to a log analysis 0:04:14.660000 --> 0:04:18.400000 or log, you know, aggregation platform. 0:04:18.400000 --> 0:04:22.260000 So, firstly, you should be able to analyze current or historical events 0:04:22.260000 --> 0:04:26.320000 and log data, perform event correlation and threat monitoring. 0:04:26.320000 --> 0:04:29.900000 Secondly, you should be able to retrieve and index log data from disparate 0:04:29.900000 --> 0:04:32.900000 sources for analysis and reports. 0:04:32.900000 --> 0:04:36.120000 So, there's a sort of the core features based on the core capabilities 0:04:36.120000 --> 0:04:39.520000 that SEAM, you know, is essentially comprised of. 0:04:39.520000 --> 0:04:43.440000 So, this then brings us to, you know, the question of the most popular 0:04:43.440000 --> 0:04:45.060000 SEAM platforms, right? 0:04:45.060000 --> 0:04:50.520000 So, on one column, you have the SEAM solution, so the name of the solution. 0:04:50.520000 --> 0:04:53.060000 The second column is whether it's open source. 0:04:53.060000 --> 0:04:56.180000 The reason I added that there is because, you know, those are relatively 0:04:56.180000 --> 0:05:01.720000 lower, you know, fairly easy to get started with and then a description 0:05:01.720000 --> 0:05:06.900000 of them. So, we touched on Splunk Enterprise Security in the previous 0:05:06.900000 --> 0:05:11.280000 video, although I didn't give you a formal introduction to Splunk, regardless 0:05:11.280000 --> 0:05:14.580000 of that, what is Splunk Enterprise Security? 0:05:14.580000 --> 0:05:16.480000 Well, firstly, is it open source? 0:05:16.480000 --> 0:05:22.780000 No, it isn't. Splunk Enterprise Security is really one of the big boys. 0:05:22.780000 --> 0:05:27.820000 So, it's a leading commercial SEAM platform that offers scalable log management, 0:05:27.820000 --> 0:05:31.860000 real-time monitoring and powerful analytics capabilities and is widely 0:05:31.860000 --> 0:05:33.900000 used in enterprise environments. 0:05:33.900000 --> 0:05:39.960000 Now, that is specifically when we're talking about enterprise security, 0:05:39.960000 --> 0:05:43.660000 right? And the reason I'm pointing that out is we're not just talking 0:05:43.660000 --> 0:05:48.340000 about Splunk and I may have referred to it in the previous video as just 0:05:48.340000 --> 0:05:55.980000 Splunk, but Splunk sort of, there's different versions of Splunk and the 0:05:55.980000 --> 0:06:01.200000 Enterprise Security additional version is what you would call a SEAM, 0:06:01.200000 --> 0:06:04.080000 all right? And it's designed specifically to be a SEAM. 0:06:04.080000 --> 0:06:05.520000 It is a SEAM, right? 0:06:05.520000 --> 0:06:09.540000 The other one that's also quite popular, widely deployed based on my experience 0:06:09.540000 --> 0:06:13.000000 is IBM Security Qradar. 0:06:13.000000 --> 0:06:14.420000 Is it open source? 0:06:14.420000 --> 0:06:18.800000 No, it isn't. So, this is IBM's flagship SEAM providing comprehensive 0:06:18.800000 --> 0:06:23.940000 threat detection, log correlation and automated response capabilities. 0:06:23.940000 --> 0:06:29.440000 And one of the things that is great about Qradar is that it integrates 0:06:29.440000 --> 0:06:34.060000 very well with other IBM products, especially when you consider AlienVolt 0:06:34.060000 --> 0:06:39.060000 and the threat intelligence there, the IOC is the possibility for IOC 0:06:39.060000 --> 0:06:42.320000 enrichment, so on and so forth. 0:06:42.320000 --> 0:06:45.960000 In any case, we then have log rhythm, next gen SEAM. 0:06:45.960000 --> 0:06:48.600000 This is also not open source. 0:06:48.600000 --> 0:06:54.000000 So this combines log management, UEBA and SOAR capabilities and it's known 0:06:54.000000 --> 0:07:00.200000 for fast detection and response capabilities, as well as some of its very, 0:07:00.200000 --> 0:07:03.860000 very, you know, as well as its strong compliance features, which is actually 0:07:03.860000 --> 0:07:07.000000 quite well known for. 0:07:07.000000 --> 0:07:08.860000 We then have Microsoft Sentinel. 0:07:08.860000 --> 0:07:13.940000 So, that's obviously not going to be open source or although not for long, 0:07:13.940000 --> 0:07:19.020000 hopefully. So what is Microsoft Sentinel? 0:07:19.020000 --> 0:07:22.360000 Some of you may know of it, but if you haven't, this is a cloud native 0:07:22.360000 --> 0:07:28.040000 SEAM that's built on Azure and it offers AI driven analytics, scalable 0:07:28.040000 --> 0:07:31.980000 data ingestion and seamless Microsoft ecosystem integration. 0:07:31.980000 --> 0:07:34.000000 Fantastic option there. 0:07:34.000000 --> 0:07:40.120000 You then have the Elastic Stack or Elastic Security, the ELK Stack, which 0:07:40.120000 --> 0:07:43.080000 we'll actually get to in the next video, in the next video. 0:07:43.080000 --> 0:07:44.740000 This is open source. 0:07:44.740000 --> 0:07:50.160000 It's usually the SEAM that a lot of people get started with, not only 0:07:50.160000 --> 0:07:54.500000 because it's free or it's open source, but you know, it's really the basis 0:07:54.500000 --> 0:08:03.500000 on which other security tools, other SEAMs and EDRs, XDRs like Wazza or 0:08:03.500000 --> 0:08:07.140000 Wazoo, depending on how you want to call it, you know, is built on. 0:08:07.140000 --> 0:08:16.120000 So, the ELK Stack is built on, you know, as the abbreviated form suggests, 0:08:16.120000 --> 0:08:17.460000 three core technologies. 0:08:17.460000 --> 0:08:22.000000 You have Elasticsearch, Logstash and Kibana, which, you know, you can 0:08:22.000000 --> 0:08:27.220000 see ELK. That's what gives you the ELK acronym as it were. 0:08:27.220000 --> 0:08:33.220000 So, this SEAM offers open source core components and some advanced features 0:08:33.220000 --> 0:08:39.540000 require commercial license under Elastic's dual licensing model. 0:08:39.540000 --> 0:08:43.020000 You then have Wazza or Wazoo, which is also open source. 0:08:43.020000 --> 0:08:48.420000 They now call themselves or Wazoo, now calls itself an XDR, I believe, 0:08:48.420000 --> 0:09:03.820000 which is, so, you know, XDR is sort of an augmentation of EDR, X meaning 0:09:03.820000 --> 0:09:06.180000 extended detection and response. 0:09:06.180000 --> 0:09:09.760000 In any case, we'll probably touch on that as when we get to endpoint analysis 0:09:09.760000 --> 0:09:15.220000 in this course. So, Wazza or Wazoo is a fully open source security platform 0:09:15.220000 --> 0:09:20.820000 with log analysis, FIM, file integrity, monitoring, intrusion detection, 0:09:20.820000 --> 0:09:22.480000 as well as active response. 0:09:22.480000 --> 0:09:24.660000 It's actually a pretty cool feature. 0:09:24.660000 --> 0:09:26.040000 And compliance reporting. 0:09:26.040000 --> 0:09:31.300000 And one of the reasons why I love Wazoo or Wazza, depending on how you 0:09:31.300000 --> 0:09:35.900000 want to pronounce it, you know, one of the reasons why I love it is, you 0:09:35.900000 --> 0:09:40.180000 know, firstly, it's built on the ELK stack, but more importantly, it's 0:09:40.180000 --> 0:09:42.500000 highly extensible and community driven. 0:09:42.500000 --> 0:09:46.800000 It also has some really, really nifty integrations or features, one of 0:09:46.800000 --> 0:09:50.820000 which was active response, which I mentioned. 0:09:50.820000 --> 0:09:55.660000 But another one that I really like is the not native, but, you know, it 0:09:55.660000 --> 0:10:00.500000 pretty much has the MIT ATT&TAC framework integrated fully, which, again, 0:10:00.500000 --> 0:10:04.680000 you may not be thinking is that important at this point, but it does get 0:10:04.680000 --> 0:10:08.080000 important, you know, as you progress as a responder. 0:10:08.080000 --> 0:10:13.780000 You also have OSSIM, which is, you know, an abbreviation for open source 0:10:13.780000 --> 0:10:15.380000 seem. This is also open source. 0:10:15.380000 --> 0:10:19.500000 This is maintained by AT&T cybersecurity. 0:10:19.500000 --> 0:10:24.420000 OSSIM integrates several open source tools for event correlation and threat 0:10:24.420000 --> 0:10:32.180000 detection. And overall, you know, it's a cost effective entry level seem. 0:10:32.180000 --> 0:10:34.900000 You then have security onion, which is also quite popular. 0:10:34.900000 --> 0:10:36.120000 It's also open source. 0:10:36.120000 --> 0:10:40.700000 This is a free and open source Linux district combining Zeke, Surikata, 0:10:40.700000 --> 0:10:46.280000 Snot, Wazoo, or log management. 0:10:46.280000 --> 0:10:52.200000 Now, security onion is arguably, you know, what, you know, it is a fully 0:10:52.200000 --> 0:10:57.640000 fledged solution, but generally speaking, a lot of students or individuals 0:10:57.640000 --> 0:11:01.860000 looking to get their hands dirty with the aforementioned tools usually 0:11:01.860000 --> 0:11:05.080000 find security onion a good starting point, because it has everything, 0:11:05.080000 --> 0:11:07.260000 you know, in one distro. 0:11:07.260000 --> 0:11:11.580000 And so if you want to try out, you know, the network intrusion detection 0:11:11.580000 --> 0:11:16.660000 systems like Surikata, Snot, et cetera. 0:11:16.660000 --> 0:11:22.360000 And then the host based detection and analysis capabilities or tools or 0:11:22.360000 --> 0:11:30.000000 platforms, you know, among or in addition to log analysis, et cetera, 0:11:30.000000 --> 0:11:33.740000 then security onion is a great, really great solution. 0:11:33.740000 --> 0:11:36.340000 It's a completely free and open source. 0:11:36.340000 --> 0:11:40.480000 They do have some licensing, but you know, you should be able to get started 0:11:40.480000 --> 0:11:42.800000 with it relatively quickly. 0:11:42.800000 --> 0:11:45.660000 You then have gray log, which is open source. 0:11:45.660000 --> 0:11:47.580000 This is quite well known. 0:11:47.580000 --> 0:11:52.640000 This is an open source log management solution with real time search and 0:11:52.640000 --> 0:11:54.700000 alerting and it can be extended. 0:11:54.700000 --> 0:11:59.180000 So by default, it's really a log management solution, but based on my 0:11:59.180000 --> 0:12:09.640000 experience, you through the use of additional plugins, right? 0:12:09.640000 --> 0:12:14.120000 So you need to perform some customization there, but also very, very powerful, 0:12:14.120000 --> 0:12:16.960000 very useful. It's been there for a long time. 0:12:16.960000 --> 0:12:18.860000 You finally have open search. 0:12:18.860000 --> 0:12:20.620000 This is also open source. 0:12:20.620000 --> 0:12:25.480000 This is a community driven fork of Elasticsearch and Kibana and offers 0:12:25.480000 --> 0:12:28.640000 open source search analytics and visualization tools. 0:12:28.640000 --> 0:12:32.840000 And it's typically used as a foundation for custom built seem solutions. 0:12:32.840000 --> 0:12:36.500000 So another great starting point, if you want to build your own seem or 0:12:36.500000 --> 0:12:41.280000 you feel like you need to build your own thing, your own solution, open 0:12:41.280000 --> 0:12:42.940000 search is a great starting point. 0:12:42.940000 --> 0:12:46.360000 It's actually a great place to start if you want to understand the internal 0:12:46.360000 --> 0:12:50.200000 workings of a seem which hopefully in this section of the course, I will 0:12:50.200000 --> 0:12:52.200000 do my best to explain. 0:12:52.200000 --> 0:12:56.620000 But I can only use so many examples to make the picture clearer. 0:12:56.620000 --> 0:12:58.460000 In any case, let's proceed. 0:12:58.460000 --> 0:13:02.560000 So that brings us to the arguably one of the most important questions 0:13:02.560000 --> 0:13:06.400000 of this video. And that is, you know, how does a seem work? 0:13:06.400000 --> 0:13:12.980000 So the basic or the easiest way to understand how a seem works is to understand 0:13:12.980000 --> 0:13:18.600000 it in this way. So a seem follows a log pipeline process with these core 0:13:18.600000 --> 0:13:22.600000 stages. So number one, obviously you start with log collection. 0:13:22.600000 --> 0:13:26.220000 So the seem gathers logs and events from across the environment. 0:13:26.220000 --> 0:13:29.740000 Now, don't matter how they're getting into the seem or how they're being 0:13:29.740000 --> 0:13:33.340000 ingested, you know, either it could be a push or pull model, you know, 0:13:33.340000 --> 0:13:34.840000 with agents or without agents. 0:13:34.840000 --> 0:13:35.980000 It doesn't really matter. 0:13:35.980000 --> 0:13:38.880000 The bottom line is that it's getting logs and events from windows and 0:13:38.880000 --> 0:13:43.120000 Linux servers, firewalls, intrusion detection systems, intrusion prevention 0:13:43.120000 --> 0:13:47.900000 systems, applications, endpoints, authentication systems, cloud and on 0:13:47.900000 --> 0:13:51.940000 -prem infrastructure from whatever infrastructure the organization has, 0:13:51.940000 --> 0:13:55.380000 devices, you know, applications, et cetera. 0:13:55.380000 --> 0:13:58.160000 You know, it pretty much gets all the logs then what? 0:13:58.160000 --> 0:14:01.080000 So the seem gets the logs, then what does it do? 0:14:01.080000 --> 0:14:04.660000 Well, the next step is normalization and parsing, right? 0:14:04.660000 --> 0:14:10.560000 So this is where the seem converts the raw logs because logs are generally 0:14:10.560000 --> 0:14:13.540000 speaking raw, unless they're pre formatted. 0:14:13.540000 --> 0:14:19.060000 If you use a tool like Sysmon or something like this, but it converts 0:14:19.060000 --> 0:14:22.260000 the raw logs into a standardized format. 0:14:22.260000 --> 0:14:27.040000 And one of the key outcomes of this or the processes here is that it extracts 0:14:27.040000 --> 0:14:33.540000 fields like IP addresses, usernames, timestamps, et cetera. 0:14:33.540000 --> 0:14:39.220000 And then so what comes after normalization or parsing and normalization? 0:14:39.220000 --> 0:14:42.820000 Well, so things have, you know, you've got the logs, you're formatted 0:14:42.820000 --> 0:14:46.520000 them accordingly, you've got the fields that you feel or the same fields 0:14:46.520000 --> 0:14:50.940000 are important for, you know, monitoring detection, et cetera. 0:14:50.940000 --> 0:14:52.180000 What does it do next? 0:14:52.180000 --> 0:14:54.180000 What should it be able to do next? 0:14:54.180000 --> 0:14:58.080000 Well, it goes without saying that there needs to be aggregation and storage. 0:14:58.080000 --> 0:15:05.540000 So it stores the logs in indexed databases, index databases being a very 0:15:05.540000 --> 0:15:09.440000 important technology or the process of indexing being a very important 0:15:09.440000 --> 0:15:14.680000 sub process because, you know, if you can't index your logs, then, you 0:15:14.680000 --> 0:15:18.620000 know, you can actually search for specific logs or you can index or search 0:15:18.620000 --> 0:15:23.940000 for, you know, data within logs, you know, so on and so forth. 0:15:23.940000 --> 0:15:27.960000 So, you know, generally speaking, you know, the logs are stored in index 0:15:27.960000 --> 0:15:33.220000 databases. And this consequently allows for fast searching, reporting 0:15:33.220000 --> 0:15:38.020000 and auditing. And so what comes after aggregation and storage, correlation 0:15:38.020000 --> 0:15:41.240000 and detection. So this is sort of the core here. 0:15:41.240000 --> 0:15:44.680000 This is really what we're interested in for the most part. 0:15:44.680000 --> 0:15:50.240000 So this is where the seem analyzes patterns across multiple systems and 0:15:50.240000 --> 0:15:52.640000 matches activity against detection rules. 0:15:52.640000 --> 0:15:57.520000 An example of that would be, let's say, activity like a brute force plus 0:15:57.520000 --> 0:16:03.940000 a suspicious login would essentially correlate to an alert. 0:16:03.940000 --> 0:16:08.400000 So you're essentially correlating different types of activity that independently 0:16:08.400000 --> 0:16:12.820000 would not constitute an alert or an incident for that matter. 0:16:12.820000 --> 0:16:16.780000 So if you see a brute force attack and they're all, you know, the brute 0:16:16.780000 --> 0:16:20.540000 force attack pretty much failed, then, you know, does that really constitute 0:16:20.540000 --> 0:16:27.120000 an alert? Not really, but if there's a brute force attack and then a suspicious 0:16:27.120000 --> 0:16:33.280000 login, which can be defined within a particular timeframe, then that generally 0:16:33.280000 --> 0:16:37.220000 speaking should constitute an alert or something that would require additional 0:16:37.220000 --> 0:16:41.520000 investigation, which is where the tier one analyst would come into play. 0:16:41.520000 --> 0:16:44.760000 And then if required, if, you know, if they discover that, hey, you know, 0:16:44.760000 --> 0:16:49.280000 there's something really fishy going on here, it then gets sent to us, 0:16:49.280000 --> 0:16:51.180000 the instant responder. 0:16:51.180000 --> 0:16:55.460000 And we're our job is not only analysis, right? 0:16:55.460000 --> 0:16:59.080000 Because we, you know, to a certain extent, which is why I'm covering seams 0:16:59.080000 --> 0:17:03.840000 and logging, you need to perform log analysis to discover or identify 0:17:03.840000 --> 0:17:10.380000 additional malicious activity, learn more about, you know, the root cause, 0:17:10.380000 --> 0:17:11.480000 so on and so forth. 0:17:11.480000 --> 0:17:16.340000 So correlation and detection, you then have some other, you know, features 0:17:16.340000 --> 0:17:25.180000 here or components, really processes, but features or functionality in, 0:17:25.180000 --> 0:17:27.920000 you know, in the context of our same works. 0:17:27.920000 --> 0:17:30.560000 And, you know, you then have alerting and dashboard. 0:17:30.560000 --> 0:17:36.780000 So this seam raises alerts when suspicious activity is detected and presents, 0:17:36.780000 --> 0:17:40.640000 it should present or can be configured to present visual dashboards for 0:17:40.640000 --> 0:17:43.380000 soccer analysts to monitor. 0:17:43.380000 --> 0:17:47.840000 And then of course, search and investigation arguably, I wouldn't say 0:17:47.840000 --> 0:17:53.820000 the most important, but just as important as correlation and detection, 0:17:53.820000 --> 0:18:00.460000 the ability to search or I should say, speaking as the slides do or in 0:18:00.460000 --> 0:18:04.560000 the tone that the slides do, the seam enables deep dive investigation 0:18:04.560000 --> 0:18:09.960000 and analysis. And the seam supports threat hunting and timeline reconstruction, 0:18:09.960000 --> 0:18:15.920000 all very important for or important to the instant response process as 0:18:15.920000 --> 0:18:21.180000 a whole. So that then leads to the other follow up question, which you 0:18:21.180000 --> 0:18:22.520000 may have asked yourself. 0:18:22.520000 --> 0:18:25.280000 And that is, you know, what exactly is a seam used for? 0:18:25.280000 --> 0:18:29.060000 Because you've said is used by SOC analysts, by instant responders. 0:18:29.060000 --> 0:18:34.620000 Can I get a, you know, complete idea or pictures to what exactly or just 0:18:34.620000 --> 0:18:40.660000 how much the seam, you know, actually caters to in terms of security monitoring, 0:18:40.660000 --> 0:18:45.060000 et cetera. So the first use case, and of course, I've tailored this to 0:18:45.060000 --> 0:18:49.620000 be more instant response specific, but you have instant detection. 0:18:49.620000 --> 0:18:52.680000 So it's used to identify threats in real time. 0:18:52.680000 --> 0:18:56.620000 So examples would be a malware infection, privilege abuse, C2 activity, 0:18:56.620000 --> 0:19:00.580000 et cetera. The other use cases for log analysis. 0:19:00.580000 --> 0:19:04.200000 So centralized analysis of logs from disparate systems. 0:19:04.200000 --> 0:19:10.180000 So, you know, different systems that, you know, are varied in terms of 0:19:10.180000 --> 0:19:14.420000 where they are, the operating system they use, so on and so forth. 0:19:14.420000 --> 0:19:16.460000 That's what disparate means in this context. 0:19:16.460000 --> 0:19:17.760000 And then alerting. 0:19:17.760000 --> 0:19:23.800000 So, you know, the seam notifies analysts of high risk events or rule matches 0:19:23.800000 --> 0:19:26.800000 alerts, as it were, threat hunting. 0:19:26.800000 --> 0:19:32.420000 So the seam enables proactive searches for indicators of compromise, IOCs. 0:19:32.420000 --> 0:19:36.900000 That's what a seam can be used for, or should be, you know, a seam should 0:19:36.900000 --> 0:19:39.600000 be able to provide you with these capabilities. 0:19:39.600000 --> 0:19:41.380000 You also have compliance and auditing. 0:19:41.380000 --> 0:19:46.320000 So stores, logs and proofs, security control effectiveness. 0:19:46.320000 --> 0:19:49.840000 So think of PCI, DSS, hyper, et cetera. 0:19:49.840000 --> 0:19:54.840000 And forensic investigations, reconstructs, events, post incident. 0:19:54.840000 --> 0:19:56.900000 So I've sort of summarized it here. 0:19:56.900000 --> 0:20:01.880000 I've not gone too deep into the detail because if this is your first time 0:20:01.880000 --> 0:20:07.760000 using a seam, then, you know, I'll pretty much be addressing that in the 0:20:07.760000 --> 0:20:08.820000 form of lab demonstrations. 0:20:08.820000 --> 0:20:12.960000 And you'll get your fair share of experience with a seam to understand 0:20:12.960000 --> 0:20:18.180000 all of these aspects with regards to, you know, how a seam works. 0:20:18.180000 --> 0:20:21.800000 So, you know, in the previous video, we took a look at some of these search 0:20:21.800000 --> 0:20:26.760000 and investigation capabilities by, you know, constructing our own searches. 0:20:26.760000 --> 0:20:31.060000 We took a look at, you know, the process of log collection, normalization 0:20:31.060000 --> 0:20:34.780000 and passing. So you actually, you know, starting to get familiarized with 0:20:34.780000 --> 0:20:38.820000 this in a practical sense. 0:20:38.820000 --> 0:20:44.860000 So that brings us to the final question, which is why are seams critical 0:20:44.860000 --> 0:20:48.620000 for incident responders or why you made me, you may have asked yourself 0:20:48.620000 --> 0:20:52.020000 this question as you went into this course or into this particular section 0:20:52.020000 --> 0:20:56.440000 is why are you introducing us or me to seams? 0:20:56.440000 --> 0:21:00.200000 Well, a seam is often the primary tool used by incident responders and 0:21:00.200000 --> 0:21:03.560000 SOC analysts. And it provides centralized visibility. 0:21:03.560000 --> 0:21:07.340000 So what that means is that all logs in one place, typically. 0:21:07.340000 --> 0:21:12.940000 Secondly, quite important, very important is cross system correlations. 0:21:12.940000 --> 0:21:18.200000 So, example is login plus file access, plus external connection, you know, 0:21:18.200000 --> 0:21:19.940000 things like that. 0:21:19.940000 --> 0:21:21.800000 Secondly, fast detection. 0:21:21.800000 --> 0:21:25.340000 So real-time alerts reduce the time to detect. 0:21:25.340000 --> 0:21:31.000000 So that's, you know, typically called or referred to as MTTD. 0:21:31.000000 --> 0:21:36.740000 TreeRQs help prioritize incidents, you know, so very, very important there. 0:21:36.740000 --> 0:21:41.260000 Contextual awareness or seams provide enriched alerts that, you know, 0:21:41.260000 --> 0:21:45.400000 that include context, context being the user system, location, threat 0:21:45.400000 --> 0:21:49.920000 type, et cetera. 0:21:49.920000 --> 0:21:51.140000 So, you know, you can also have an attack. 0:21:51.140000 --> 0:21:53.920000 You also have investigation and response. 0:21:53.920000 --> 0:21:59.280000 So seams provide timeline views, the ability to view and analyze raw logs 0:21:59.280000 --> 0:22:02.460000 and, of course, pivoting across data. 0:22:02.460000 --> 0:22:05.420000 And generally speaking, I should have put this in the beginning of this 0:22:05.420000 --> 0:22:12.640000 video. How or why is this important to us or why is this seem so important 0:22:12.640000 --> 0:22:16.620000 for you to understand, not only in terms of how it works, but how to use 0:22:16.620000 --> 0:22:22.180000 one. It, as an incident responder, it helps answer the following questions. 0:22:22.180000 --> 0:22:25.200000 What happened? So root cause, who was affected? 0:22:25.200000 --> 0:22:28.780000 So the scope of the incident, if any. 0:22:28.780000 --> 0:22:33.420000 And I mentioned root cause, what happened, generally speaking, which can 0:22:33.420000 --> 0:22:36.640000 lead into the timeline, so on and so forth. 0:22:36.640000 --> 0:22:38.640000 So that's going to be it for this video. 0:22:38.640000 --> 0:22:40.800000 And I will be seeing you in the next video.