Содержание
1. Что такое SIEM2. Архитектура SIEM систем
3. Типы SIEM правил
4. Корреляционные правила
5. Правила обнаружения угроз
6. Правила compliance и аудита
7. Splunk запросы
8. ELK Stack запросы
9. Microsoft Sentinel запросы
10. IBM QRadar запросы
11. Правила для Zero Trust
12. Мониторинг облачных сред
13. Автоматизация и orchestration
14. Часто задаваемые вопросы
15. Заключение
Что такое SIEM
SIEM (Security Information and Event Management) - это комплексная платформа для сбора, анализа и корреляции событий безопасности из различных источников. SIEM системы предоставляют real-time мониторинг, обнаружение угроз и compliance reporting.
Основные компоненты SIEM
- Data Collection - сбор логов и событий
- Normalization - стандартизация форматов данных
- Correlation - анализ взаимосвязей между событиями
- Alerting - генерация оповещений
- Reporting - отчеты и dashboards
- Forensics - анализ инцидентов
Популярные SIEM системы
#### Enterprise SIEM
- Splunk Enterprise Security
- IBM QRadar
- Microsoft Sentinel
- RSA NetWitness
- LogRhythm
#### Open Source SIEM
- ELK Stack (Elasticsearch, Logstash, Kibana)
- OSSIM (Open Source Security Information Management)
- Prelude SIEM
- Wazuh
Эволюция SIEM в 2026
#### XDR Integration
- Extended Detection and Response
- Cross-platform correlation
- Behavioral analytics
#### AI/ML Integration
- Machine learning для anomaly detection
- Predictive analytics
- Automated threat hunting
#### Cloud-Native SIEM
- Serverless architecture
- Auto-scaling
- Multi-cloud support
Архитектура SIEM систем
Компоненты современной SIEM
#### Data Ingestion Layer
- Agents и collectors - сбор данных от источников
- API integrations - подключение облачных сервисов
- Log shippers - Filebeat, Logstash, Fluentd
- Streaming ingestion - Kafka, RabbitMQ
#### Processing Layer
- Data parsing - извлечение полей из логов
- Normalization - приведение к единому формату
- Enrichment - добавление контекста (геолокация, threat intelligence)
- Filtering - исключение шумовых событий
#### Storage Layer
- Time-series databases - InfluxDB, Prometheus
- Search engines - Elasticsearch, Splunk index
- Data lakes - Hadoop, S3
- Caching - Redis, Memcached
#### Analytics Layer
- Correlation engine - анализ взаимосвязей
- Machine learning - anomaly detection
- Rule engine - обработка сигнатур
- Statistical analysis - baseline monitoring
Deployment Models
#### On-Premises
- Полный контроль над данными
- Custom integrations
- Legacy system support
#### Cloud SIEM
- SaaS модель
- Auto-scaling
- Global coverage
#### Hybrid
- On-prem для sensitive data
- Cloud для scalability
- Best of both worlds
Типы SIEM правил
По назначению
#### Detection Rules
- Signature-based - поиск известных паттернов
- Anomaly-based - отклонения от baseline
- Behavioral - подозрительное поведение
- Indicator-based - IOC matching
#### Correlation Rules
- Multi-event correlation - связь между событиями
- Temporal correlation - анализ временных последовательностей
- Spatial correlation - географический анализ
- Contextual correlation - учет бизнес-контекста
#### Compliance Rules
- PCI DSS monitoring
- GDPR compliance
- HIPAA requirements
- SOX controls
По сложности
#### Simple Rules
- Single event triggers
- Threshold-based alerts
- Basic pattern matching
#### Complex Rules
- Multi-stage correlation
- Statistical analysis
- ML-based detection
#### Composite Rules
- Rule chains
- Conditional logic
- Risk scoring
Корреляционные правила
Multi-Event Correlation
#### Brute Force Attack Detection
rule
: Failed Login + Successful Login from same IP
Time Window: 10 minutes
Threshold: 5+ failed attempts followed by success
#### Privilege Escalation
rule
: User login + privilege change + suspicious activity
Sequence: Login → sudo/su → file access
Time Window: 5 minutes
#### Lateral Movement
rule
: RDP login + network scan + file access
Pattern: External IP → Internal system → Sensitive files
Risk Score: High
Temporal Correlation
#### Time-Based Patterns
rule
: Login outside business hours + large data transfer
Condition: Time > 18:00 OR Time < 06:00
AND Data size > 100MB
#### Frequency Analysis
rule
: Multiple VPN connections from single user
Threshold: 3+ concurrent sessions
Time Window: 1 hour
#### Sequence Detection
rule
: Malware download → AV disabled → data exfiltration
Chain: HTTP download → Service stop → FTP upload
Time Window: 30 minutes
Contextual Correlation
#### User Behavior Analysis
rule
: Executive login + access to HR database
Context: User role ≠ HR/Admin
Risk Level: Critical
#### Geographic Anomalies
rule
: Login from unusual country + large transaction
Baseline: User's typical locations
Threshold: 2+ standard deviations
#### Device Correlation
rule
: New device + failed authentication attempts
Pattern: Unknown MAC + 3+ failed logins
Action: Device quarantine
Правила обнаружения угроз
Malware Detection
#### Ransomware Indicators
1. File encryption patterns
- Mass file renames with extensions (.encrypted, .locked)
- Cryptographic API calls
- Ransom note creation
2. Ransomware behavior
- Network beaconing to C2 servers
- Self-propagation attempts
- Anti-forensic actions
3. Ransomware prevention
- Unusual encryption operations
- Shadow copy deletion
- MBR/VBR modifications
#### Virus/Trojan Detection
4. Suspicious process creation
- Parent-child relationship anomalies
- Unsigned executable execution
- Injection into legitimate processes
5. Command and control
- DNS tunneling
- HTTP/S beaconing patterns
- Unusual protocol usage
6. Persistence mechanisms
- Registry modifications
- Scheduled task creation
- Service installation
Network Threats
#### DDoS Attack Detection
7. Volume-based attacks
- SYN flood detection
- UDP flood monitoring
- ICMP flood alerts
8. Application layer attacks
- HTTP flood patterns
- Slowloris detection
- RUDY attack monitoring
9. Amplification attacks
- DNS amplification
- NTP amplification
- SSDP amplification
#### Man-in-the-Middle Attacks
10. ARP poisoning detection
- Gratuitous ARP monitoring
- ARP table inconsistencies
- Duplicate MAC addresses
11. DNS spoofing
- DNS response anomalies
- TTL manipulation
- Authoritative server spoofing
12. SSL/TLS interception
- Certificate mismatch alerts
- Unusual certificate authorities
- SSL handshake anomalies
Authentication Threats
#### Brute Force Attacks
13. Password spraying
- Multiple users, single password
- Time-based distribution
- Account lockout monitoring
14. Credential stuffing
- Breached password usage
- Cross-site password attempts
- Account takeover patterns
15. Password brute force
- Sequential attempt patterns
- Dictionary attack detection
- Rainbow table usage indicators
#### Account Compromise
16. Impossible travel
- Geographic login anomalies
- Time-distance calculations
- VPN/proxy usage patterns
17. Suspicious session activity
- Multiple concurrent sessions
- Unusual login times
- Privilege escalation attempts
18. Token theft indicators
- API key misuse
- Session hijacking patterns
- Cookie manipulation
Правила compliance и аудита
PCI DSS Monitoring
#### Card Data Protection
19. PAN detection
- Credit card number patterns in logs
- Unencrypted card data transmission
- Card data storage violations
20. Access controls
- Privileged user activity monitoring
- Database access logging
- File system permission changes
21. Network segmentation
- CDE boundary violations
- Unauthorized network access
- Firewall rule changes
GDPR Compliance
#### Data Subject Rights
22. Access requests
- SAR (Subject Access Request) logging
- Data export activities
- Consent management
23. Data breaches
- PII exposure incidents
- Encryption failures
- Data loss events
24. Processing activities
- Consent verification
- Data minimization violations
- Retention policy breaches
HIPAA Compliance
#### Protected Health Information
25. PHI access monitoring
- Medical record access logging
- PHI transmission controls
- Audit log integrity
26. Security incident tracking
- Healthcare data breaches
- Incident response logging
- Breach notification compliance
27. Access controls
- Role-based access verification
- Emergency access logging
- Authentication failures
Splunk запросы
Basic Search Queries
#### Authentication Monitoring
28. `index=security sourcetype=authentication action=failed | stats count by user, src_ip`
- Failed login attempts by user and IP
29. `index=security sourcetype=authentication action=success | timechart count by user`
- Successful authentications over time
30. `index=security sourcetype=authentication | where action="success" AND isnull(src_ip) | table user, timestamp`
- Local authentications (potential bypass)
#### Network Monitoring
31. `index=network sourcetype=firewall action=blocked | stats count by src_ip, dest_ip`
- Blocked connections by source and destination
32. `index=network sourcetype=ids signature=* | stats count by signature, src_ip`
- IDS signature hits
33. `index=network sourcetype=proxy | where http_status_code>=400 | stats count by url, user`
- HTTP error responses
Advanced Correlation
#### Threat Hunting
34. `index=* sourcetype=authentication action=failed | bin _time span=10m | stats count by _time, user | where count > 5`
- Brute force attempts (5+ failures in 10 minutes)
35. `index=endpoint sourcetype=antivirus threat=* | join type=outer user [search index=authentication sourcetype=authentication action=success] | table user, threat, timestamp`
- Malware infections correlated with logins
36. `index=network sourcetype=firewall | where dest_port=3389 OR dest_port=22 | stats count by src_ip | where count > 100`
- Potential RDP/SSH brute force
#### Compliance Queries
37. `index=security sourcetype=authentication | where action="success" AND date_hour > 18 OR date_hour <>ELK Stack запросы
Elasticsearch Queries
#### Kibana Discover Queries
40. Failed Authentications
text
{
"query": {
"bool": {
"must": [
{"match": {"event.action": "failed_login"}},
{"range": {"@timestamp": {"gte": "now-1h"}}}
]
}
}
}
41. Suspicious Network Traffic
text
{
"query": {
"bool": {
"should": [
{"match": {"destination.port": 3389}},
{"match": {"destination.port": 22}}
],
"minimum_should_match": 1,
"filter": {
"range": {"@timestamp": {"gte": "now-24h"}}
}
}
}
}
42. Malware Detection
text
{
"query": {
"bool": {
"must": [
{"match": {"event.category": "malware"}},
{"match": {"event.outcome": "success"}}
]
}
}
}
Logstash Filters
#### Data Enrichment
43. GeoIP Enrichment
filter
{
geoip {
source => "client_ip"
target => "geoip"
}
}
44. Threat Intelligence Lookup
filter
{
http {
url => "https://api.threatintelligence.com/lookup"
body => {"ip": "%{client_ip}"}
target_body => "threat_data"
}
}
Kibana Visualizations
#### Dashboard Queries
45. Security Events Timeline
text
{
"aggs": {
"events_over_time": {
"date_histogram": {
"field": "@timestamp",
"interval": "1h"
}
}
}
}
46. Top Attacking IPs
text
{
"aggs": {
"top_ips": {
"terms": {
"field": "source.ip",
"size": 10
}
}
}
}
Microsoft Sentinel запросы
KQL Queries
#### Azure AD Monitoring
47. Failed Login Attempts
signinlogs
| where ResultType == "50126" or ResultType == "50053"
| where TimeGenerated > ago(1h)
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 5
48. Impossible Travel
signinlogs
| where ResultType == 0
| project TimeGenerated, UserPrincipalName, Location, IPAddress
| sort by UserPrincipalName, TimeGenerated asc
| extend NextLocation = next(Location, 1)
| extend TimeDiff = datetime_diff('minute', next(TimeGenerated, 1), TimeGenerated)
| where TimeDiff < 60 and Location != NextLocation
49. Privileged Role Changes
auditlogs
| where OperationName == "Add member to role" or OperationName == "Remove member from role"
| where TargetResources contains "Global Administrator" or TargetResources contains "Security Administrator"
| project TimeGenerated, OperationName, InitiatedBy, TargetResources
Azure Resource Monitoring
50. VM Security Eventsazureactivity
| where OperationNameValue contains "Microsoft.Compute/virtualMachines"
| where ActivityStatusValue == "Failed"
| summarize count() by Resource, Caller
51. Storage Account Access
storagebloblogs
| where OperationName == "GetBlob" or OperationName == "PutBlob"
| where StatusText != "Success"
| summarize count() by AccountName, CallerIPAddress
IBM QRadar запросы
AQL Queries
#### Network Threat Detection
52. Port Scan Detection
select
sourceip, destinationip, COUNT(*) as attempts
FROM events
WHERE eventname ILIKE '%port scan%'
GROUP BY sourceip, destinationip
HAVING attempts > 100
53. Brute Force Detection
select
username, sourceip, COUNT(*) as failed_attempts
FROM events
WHERE eventname = 'Authentication Failure'
AND starttime > CURRENT_TIMESTAMP - INTERVAL '1' HOUR
GROUP BY username, sourceip
HAVING failed_attempts > 10
54. Data Exfiltration
select
sourceip, destinationip, SUM(bytesout) as total_bytes
FROM flows
WHERE starttime > CURRENT_TIMESTAMP - INTERVAL '1' HOUR
GROUP BY sourceip, destinationip
HAVING total_bytes > 100000000
Rules Creation
#### Custom Rules
55. Suspicious File Access
rule
: File Access Anomaly
Condition: SELECT * FROM events
WHERE filename IN ('/etc/passwd', '/etc/shadow', 'system32/config/SAM')
AND username NOT IN ('admin', 'system')
56. Lateral Movement Detection
rule
: Lateral Movement
Condition: SELECT * FROM events e1
JOIN events e2 ON e1.sourceip = e2.destinationip
WHERE e1.eventname = 'Successful Login'
AND e2.eventname = 'Network Scan'
AND TIMESTAMPDIFF(MINUTE, e1.starttime, e2.starttime) < 30
Правила для Zero Trust
Identity Verification
#### Continuous Authentication
57. Device Health Checks
- OS version validation
- Antivirus status verification
- Patch level assessment
- Encryption status monitoring
58. Behavioral Biometrics
- Keystroke pattern analysis
- Mouse movement tracking
- Session duration monitoring
- Location consistency checks
59. Risk-Based Authentication
- Login time analysis
- Device fingerprinting
- Network location assessment
- Transaction amount monitoring
Network Access Control
#### Micro-Segmentation
60. East-West Traffic Monitoring
- Internal traffic pattern analysis
- Lateral movement detection
- Service dependency mapping
- Anomaly detection
61. Application Access Control
- API call monitoring
- Database access logging
- File system access control
- Privilege escalation detection
Data Protection
#### Data Loss Prevention
62. Sensitive Data Monitoring
- PII detection in transit
- Financial data monitoring
- Intellectual property tracking
- Encryption enforcement
63. Data Classification
- Automatic data labeling
- Access policy enforcement
- Usage monitoring
- Audit trail generation
Мониторинг облачных сред
AWS Monitoring
#### CloudTrail Analysis
64. IAM Policy Changes
select
eventname, useridentity, eventtime
FROM cloudtrail_logs
WHERE eventname LIKE '%Policy%'
AND useridentity NOT IN ('admin_users')
65. S3 Bucket Access
select
bucket, remoteip, key, operation
FROM s3_access_logs
WHERE operation = 'REST.GET.OBJECT'
AND remoteip NOT IN ('trusted_ips')
66. EC2 Security Groups
select
instanceid, securitygroup, change
FROM ec2_security_group_changes
WHERE change = 'AuthorizeSecurityGroupIngress'
AND port = 22 OR port = 3389
Azure Monitoring
#### Azure AD Logs
67. Conditional Access Policy Violations
azureactivity
| where OperationName == "Sign-in activity"
| where ResultType != 0
| where ConditionalAccessStatus == "failure"
68. Resource Access Monitoring
azureactivity
| where OperationName contains "Microsoft.Storage"
| where ActivityStatusValue == "Failed"
| summarize count() by Caller, Resource
GCP Monitoring
#### Stackdriver Queries
69. VPC Flow Logs
select
jsonPayload.connection.src_ip,
jsonPayload.connection.dest_ip,
jsonPayload.bytes_sent
FROM `gcp_logs.vpc_flow`
WHERE jsonPayload.connection.dest_port = 22
AND jsonPayload.bytes_sent > 1000000
70. IAM Policy Changes
select
timestamp,
resource.labels.project_id,
protoPayload.methodName
FROM `gcp_logs.audit`
WHERE protoPayload.methodName CONTAINS 'SetIamPolicy'
Автоматизация и orchestration
SOAR Integration
#### Automated Response
71. Malware Containment
- Isolate infected host
- Block malicious IP
- Disable compromised account
- Generate incident ticket
72. DDoS Mitigation
- Enable rate limiting
- Block attacking IPs
- Scale infrastructure
- Notify DDoS protection service
73. Data Breach Response
- Encrypt affected data
- Notify affected users
- Generate compliance reports
- Initiate forensic investigation
Workflow Automation
#### Incident Response Playbooks
74. Phishing Incident
1. Quarantine email
2. Reset user password
3. Scan for malware
4. Train user on security
5. Report to management
75. Ransomware Response
1. Isolate affected systems
2. Assess backup integrity
3. Contact law enforcement
4. Restore from clean backups
5. Implement prevention measures
76. Privilege Escalation
1. Revoke elevated privileges
2. Audit recent activity
3. Change affected credentials
4. Review access controls
5. Implement least privilege
Часто задаваемые вопросы
Основы SIEM
Что такое SIEM?Security Information and Event Management - платформа для централизованного мониторинга и анализа событий безопасности.
Зачем нужна SIEM?
Для real-time обнаружения угроз, compliance monitoring и incident response.
Какие данные собирает SIEM?
Логи с серверов, сетевых устройств, приложений, систем аутентификации, антивирусов и т.д.
Как SIEM отличается от SIEM?
SIEM фокусируется на событиях, SIEM добавляет управление и автоматизацию.
Выбор SIEM
Как выбрать SIEM систему?Учитывайте размер организации, бюджет, существующие системы, compliance требования и навыки команды.
Какая SIEM лучше для начинающих?
Splunk - интуитивный интерфейс, или ELK Stack - open source решение.
Сколько стоит SIEM?
От $10,000/год для small бизнеса до миллионов для enterprise решений.
Нужно ли SIEM для малого бизнеса?
Да, если есть чувствительные данные или compliance требования.
Правила и корреляция
Как создавать эффективные правила?Начинайте с known threats, используйте baseline, тестируйте на false positives, регулярно обновляйте.
Что такое false positive/negative?
False positive - ложное срабатывание, false negative - пропущенная угроза.
Как избежать alert fatigue?
Tune правила, используйте risk scoring, implement alert prioritization.
Можно ли использовать AI в SIEM?
Да, для anomaly detection, predictive analytics и automated response.
Compliance и отчетность
Какие стандарты поддерживает SIEM?PCI DSS, HIPAA, GDPR, SOX, NIST, ISO 27001.
Как SIEM помогает с compliance?
Автоматический сбор evidence, audit trails, reporting, alerting on violations.
Нужно ли SIEM для GDPR?
Не обязательно, но значительно упрощает compliance monitoring.
Как генерировать compliance отчеты?
Используйте built-in dashboards или создайте custom reports.
Заключение
SIEM правила 2026 года эволюционировали от простых сигнатур к комплексным AI-powered системам обнаружения угроз. Эта шпаргалка содержит более 76 готовых правил и запросов для основных SIEM платформ.
Ключевые тенденции SIEM 2026:
1. AI-First Approach - машинное обучение для threat detection
2. Cloud-Native Architecture - масштабируемость и гибкость
3. XDR Integration - extended detection and response
4. Zero Trust Implementation - continuous verification
5. Automated Response - SOAR integration
Рекомендации по внедрению:
- Начинайте с малого - пилотный проект на одной системе
- Определяйте use cases - фокус на наиболее критичных угрозах
- Тестируйте правила - validation на false positives
- Обучайте команду - регулярные тренинги по threat hunting
- Интегрируйте с SOAR - автоматизация response процессов
Лучшие практики:
- Регулярно обновляйте правила под новые угрозы
- Используйте threat intelligence feeds
- Мониторьте performance и scalability
- Проводите регулярные security assessments
- Документируйте все изменения и инциденты
SIEM - это не просто инструмент, а комплексная платформа для современной кибербезопасности. Правильная настройка правил может значительно повысить уровень защиты организации.
---
**⚠️ Дисклеймер:** Статья носит информационно-образовательный характер и не содержит инструкций для совершения противоправных действий.
