CCNA CyberOps SECOPS – Objective 4.2

Photo by Markus Spiske temporausch.com from Pexels
Reading Time: 1 minute

Interpret common data values into a universal format

Implementing Cisco Cybersecurity Operations (210-255)

For this objective, I would suggest using Security Onion to collect some data from a firewall and IPS. Within the Security Onion stack is a tool called ELSA. ELSA is an open-source SEIM product. It takes the logs and puts them into a normalized format. This allows disparate log types to be analyzed together.

As you can see below in the screenshot, the normalized form parses the data into fields. The fields use the same names for all log files which allows correlation of data that contain the same fields.

A screen shot of ELSA. The screen shot shows how plain text files are parsed and put in normalized forms with defined fields.
Image from https://www.syslog-ng.com/community/b/blog/posts/elsa-web-interface-for-syslog-ng-and-patterndb

Other tools like QRadar and Splunk also do similar tasks with data to allow analysts to better understand the mountain of data devices produce.