Incident response

How to Use AlientVault SIEM for Threat Detection & Incident Response

March 21, 2018 by

Malware comes via attachments, malvertising, man-in-the-middle, man-in-the-browser, social engineering and countless other vectors. Even the most stringent of binary whitelisting can be quickly rendered ineffective by a compromised application, server update or exploits in otherwise legitimate software. Endpoint protection factors in as well, but there will always be occasions where malware has evolved to a new hash and your product's heuristics just happen to miss it.

Such situations demonstrate the deficiencies of reactive quarantining from an incident response perspective. No person nor piece of software can reliably predict what will be relevant to an investigation and what should be retained. However, it is possible to avoid reliance on such predictions by proactively retaining everything that could be relevant.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

What Does AlientVault SIEM Do?

AlientVault SIEM is an all-in all-in-one platform designed to provide and guarantee complete defense to the enterprise against current security threats. Different security aspects provided by the SIEM include:

  • Asset discovery:
    Finds all assets on your network. This is done via active network scanning, passive network monitoring, asset inventory and software inventory.
  • Vulnerability assessment: Helps identify system vulnerabilities on your network via network vulnerability testing and continuous vulnerability monitoring.
  • Intrusion detection: Detects malicious traffic on your network via network IDS, host IDS, file integrity checks and file monitoring.
  • Behavioral monitoring:
    Discovers suspicious behavior and potentially compromised systems via netflow analysis, service availability monitoring and full packet capture.
  • Multiple security functions in a single console:
    Correlates and analyzes security event data from across your network via log management, event correlation, incident response and reporting.

What Benefits Does AlientVault Provide?

With the functionalities available through AlienVault, you can easily analyze potential threat vectors and the impacts they may have on on your business. This is illustrated in the screenshot below:

Each alarm provides detailed and customized instructions on how to investigate and respond to malicious activity.

Customizable executive dashboards provide overviews and click-through details about your security and compliance posture.

Dashboards provide everything you need to know about an asset for incident investigation and response.

Automated asset discovery provides granular details on all devices in your network

Targeted guidance eliminates the guesswork associated with integrating data sources and provides precise suggestions for improving visibility.

Built-in network flow analysis provides all the data you need for in-depth investigations, including packet capture.

Secure storage of raw event data satisfies regulatory compliance requirements while an easy-to-use interface allows for quick searches.

Identifies malicious actors attempting to interact with your network using dynamic IP reputation data.

Built-in network IDS and host IDS results in more accurate threat detection and event correlation, faster deployment and simpler management.

Built-in vulnerability assessment simplifies security monitoring and speeds remediation.

How Can I Use AlienVault to Detect SQL Injection?

SQL injection has been around for about 10 years. This is when nefarious SQL commands are covertly inserted into the database in an attempt to harm data-driven applications. You can use AlientVault to detect SQL injection following the methods below.

  • Network IDS spotting SQLi

    One of the first methods in detecting SQL injection is network intrusion detection system (NIDS). This gives system administrator the ability to analyze all inbound and outbound network traffic to make sure there are no malformed data packets which can cause harm or damage to your network infrastructure. This also gives the system administrator the ability to see when and where the system is being attacked.

  • Host IDS detecting SQLi by watching file activity

    The next approach is leveraging a host-based intrusion detection system (HIDS), allowing system administrators to monitor activity locally on a server. For example, HIDS agent parses the logs on IIS or Apache web server locally once it is installed. Just by monitoring log and file activity, the system threats are effectively monitored.

    With the AlienVault HIDS, you can monitor changes to files, and have visibility to information such as which files and tables in your database were affected by the attack. In addition, the HIDS will look for patterns indicating SQLi and send alerts accordingly.

    HIDS Dashboard

    HIDS performs file integrity checking and operating system audit logging. This alone provides the capability to detect multiple forms of attacks, most notably monitoring for malicious attacks via web server logs. Here's an example of how USM displays an SQL injection and its associated threat details via the HIDS.

    Threat Details

  • OTX assisting with SQL injection

    Known IP addresses attempting SQL attacks are checked against the OTX database. It combines input from the NIDS, HIDS, and OTX, and alerts system administrators the problem needs attention.

    Learn Incident Response

    Learn Incident Response

    Get hands-on experience with incident response tools and techniques as you progress through nine courses.


The AlienVault Security Management platform is an all-in-one tool that will not only help you to protect your network infrastructure, but also your other IT assets. It provides information and data to you in real time to gauge the cyber threat landscape in order to further fortify your primary lines of defense. An added advantage is you can gain real-time threat intelligence from both the AlienVault Labs and Open Threat Exchange.



SecRat works at a start-up. He's interested in Windows Driver Programming.