How to Access and View Event Logs Using Exabeam in Linux

Examining event and endpoint logs is the first step towards building comprehensive customized rulesets. 

Many information security leaders have significant deployments on open-source operating systems based on the Linux kernel, and for good reason. Linux distributions like Debian and Ubuntu have a reputation for visibility and security at a price that's impossible to beat – they're 100% free.  


How to Set Up Robust Log Management in Linux with AuditD

Find out how to configure Linux to generate comprehensive log feeds for SIEM, UEBA, and SOAR technologies. 

Linux is an attractive solution for enterprises in search of a flexible, powerful operating system. Many different operating systems use the Linux kernel, such as Ubuntu, Debian, and Red Hat Enterprise Linux (RHEL), which itself is an enterprise-ready extension of CentOS. 

Open-source Linux distributions have a slightly different security profile than proprietary technologies like Windows. Some enterprise IT leaders choose Linux specifically for its security capabilities and low implementation costs. However, making the most of those security capabilities requires utilizing sophisticated information security technologies like SIEM, UEBA, and SOAR. 

Most Linux distributions automatically collect log data on user, application, and kernel activities. Logins, file modifications, and account modifications are stored in a chronological timeline so that security analysts can review them and investigate suspicious activities when necessary. 

Boost Security Performance by Configuring Log Data 

SIEM, UEBA, and SOAR technologies rely on these logs to categorize and prioritize suspicious activities and automate some of the most time-consuming tasks security analysts must perform. The better and more comprehensive those logs are, the more accurate these technologies’ insights can be. 

One of the best ways to access log data in Linux is through the Linux Audit System, better known through its command line name Auditd. It provides comprehensive visibility into system calls, file access, and pre-configured auditable events throughout the Linux environment. 

Configuring Linux’s log collection policies will let you send better, more accurate data to your SIEM, UEBA, or SOAR platform. This significantly boosts the quality of its security performance output in turn. 

How to Configure Log Management Policies in Linux with Auditd 

The example we have written is for RHEL but works the same way in Ubuntu. Most Linux-based operating systems will provide for a similar process. 

The goal of this configuration is to push comprehensive system logs onto the syslog directory and move them from there to a remote log management solution. This configuration does not remove any existing rules, so you can use it as a starting point for changing the default configuration. However, if you already have a robust, custom configuration, some of these rules may overwrite yours. 

This is the directory you’ll be placing the configuration in...

Get our custom AuditD ruleset for your use!

Make Sure Your SIEM, UEBA, or SOAR Platform Can Parse These Logs 

In our example, we’re using syslog to access the logs our policies generate. You may use syslogd or syslog-ng for the same purpose – our team would be happy to provide you with the appropriate configurations. 

Instead of using a simple *.* in the master rsyslog.conf file, we prefer creating a custom file in /etc/rsyslog.d. Consider creating a file called auditd.conf and populating it like this: 

if $programname contains 'audisp' then


Notice that we’re using @@ to send data via TCP and specifying TCP 514 as the port. The default port for syslog is usually 601, but most systems still use UDP and TCP 514 for logs. Feel free to edit this code to fit the needs of your environment and restart rsyslog when you’re ready to effectuate the changes. 

That’s it! Now, almost every SIEM, UEBA, and SOAR system on the market can natively parse the logs generated by your Linux distribution. You may now review and analyze accurate log data describing unwanted access, changes, and installations on your Linux systems. 

Craft Custom Rules to Improve Exabeam Performance: Part 2

Enriched data enables analysts to conduct faster, more accurate investigations in Exabeam. 

The first part of this series covered some of the ways analysts can use context to build custom rules in Exabeam. Teaching Exabeam to recognize network zones and asset groups enables security professionals to cluster similar behaviors together, making it easier to investigate suspicious activity. 


Manufacturing Case Study

Description of Pain or Challenge: Manufacturers often have a disproportionately large data environment in contrast to their in-house staff. Risks affecting supply chain and business operations pose a serious threat to manufacturers, as they can be exposed through any number of the IT systems critical to maintaining effective supply and distribution of materials. Implementing a solution that fills the time/resource gap of the security team and provides detection and response capabilities across critical assets is imperative to a successful MDR program.  

Solution Overview: Competing with nearly 8 other MDR providers, Lumifi was able to offer the most comprehensive solution to address the requirements for this organization.  Lumifi was able to couple their client-centric services with an ecosystem of industry leading technologies to address the primary needs of the customer. 

Services Description:

Technology Description:


Legal Organization Case Study


The success of a legal practice requires a focus on reputation management and nurturing the relationships that exist between the firm and their clients. Compared to other industries, the legal sector has an elevated risk of cyber threats primarily due to the confidential data and sensitive client information available to an attacker. Cybersecurity is not often at the top of the priority list because offices are filled with lawyers, and not IT teams. Considering this, the challenge becomes protecting sensitive data with limited skills and resources.

Solution Overview: 

For this organization with limited resources, partnering with a Managed Detection and Response (MDR) team became critical in protecting Corporate IP. The client in this study also wanted to consolidate technologies and re-platform in the cloud. Lumifi worked with the client on moving them from RSA SIEM to Palo Alto Cortex XDR with the Data Lake. Content from the de-commissioned system was ported to the new cloud-based environment. Lumifi continued working with the client as it’s MDR provider, successfully maintaining the firms security posture.

Services Description:

MDR Service for 24×7 Alert Monitoring and Threat Validation Incident Remediation and Forensic Analysis Migration of existing content package to Cortex platform Tuning/Filtering of Alerts Custom development of parsers, rules, alerts, API integrations, reports Full management of supported technology Automated Threat Response (SOARaaS) – complimentary to Palo Alto XSOAR functionality Advisory/consulting support for detection and response strategy

Technology: Palo Alto Cortex XDR with Data Lake


Financial Organization Case Study

Description of Pain or Challenge: The financial services industry is one of the more mature markets requiring cybersecurity.  Smaller financial services firms typically have a limited team coupled with an advanced environment.  In this case this customer was looking for an MDR provider that could be a true partner and function as an extension of their team.  The Lumifi team took the time and effort to diligently evaluate and invest in the best security products for this organization.  They needed an MDR provider to not only fill the time and resource gap of threat management, but also create an operationally effective security ecosystem.

Solution Overview: Lumifi was able to offer the most comprehensive solution to address this customer’s requirements through their expertise and client-centric delivery model. Delivering the MDR service through a transparent and shared environment allowed Lumifi to work with this customer’s security team to develop and execute a vision of an integrated security platform.  This customer experienced a reduced time to detect, reduced time to respond, avoided false positives, and was able to save critical time and assets for their business endeavors. 

Services Description: 24×7 Alert Monitoring and Threat Validation Incident Remediation and Forensic Analysis Tuning/Filtering of Alerts Custom development of parsers, rules, alerts, API integrations, runbooks/playbooks, reports Full management of supported technology Automated Threat Response (SOARaaS) – complimentary to Sentinel SOAR functionality Advisory/consulting support for detection and response strategy

Technology Description: Microsoft Sentinel for log visibility into Microsoft services and critical applications/systems Microsoft Defender for Endpoint


Security Posture Priorities

Solution Evaluation

An integral step in creating a resilient cybersecurity platform is to perform an audit of your organizations existing policies and procedures. Lumifi can help with this endeavor during our Asset Criticality Assessment, during client onboarding process, and periodically on a structured timeline.

Here are components we consider when looking at the entire security infrastructure:

Tool Implementation

Once the proper solution or suite of solutions is determined, we help source, install, configure, tune and customize each solution to our customer’s needs. If a solution is already in place, we step in and begin management of the existing tool.

The following are just a few of the services we offer in this step of the process:

Managed Detection & Response (MDR)

Lumifi is a leader in MDR services, recognized on Gartner’s Managed Detection and Response Market Guide and by third-party service provider lists. Often, the least considered factor in the security provider selection process in the human element. While technology is an important factor in first-class MDR, Lumifi’s biggest differentiator is its expertise. Lumifi provides the experience needed to stand out from the saturated MDR market with leadership and management having decades of experience, stretching back to before MDR was even a term.

Vulnerability Management (VM)

Discovering where you are most vulnerable is a security priority and likely already part of your overall program. The ability to continuously identify threats and monitor unexpected changes in your network before they turn into breaches is common practice.

Security programs often have the challenge of finding and retaining talent along with time restraints for proper cybersecurity processes. Lumifi can help fill those gaps. Our security staff will manage the process and help ensure your security program is successful while saving you time and money.

Email Security

Ransomware, impersonation, spear phishing; standard email-defense systems can’t protect against it all. Lumifi deploys leading email security tools to defend against routine spam and targeted threats.
Email security tools combine internally developed and third-party technologies with dozens of internal and external threat-intelligence sources. These tools simplify and automate the process of recovering email and other data within your email environment while ensuring that email systems remain 100% operational, and data is secured within. In addition to L1 and L2 support, Lumifi provides back-end integration into its MDR services to enhance visibility and reporting.

Endpoint Detection & Response (EDR)

EDR solutions take traditional antivirus tools to the next level by allowing security teams to continuously collect, track and store endpoint data. This level of detail provides analysts with the forensic granularity necessary for active threat hunting and proper incident response. Lumifi partners with leading EDR tools such as SentinelOne, Defender for Endpoint and CarbonBlack to provide comprehensive security solutions that secure customer endpoints end-to-end.

Incident Response & Threat Remediation

Cyber resilience includes recovering quickly from an attack. When Lumifi reports a verified incident, our ASOC provides recommended steps for remediation, including step-by-step instructions with procedures and escalation paths to remediate the incident.

Compliance & Reporting Support

Cybersecurity compliance is a key factor in many industries and producing the proper reports and logging protocols necessary can be cumbersome and time consuming for many organizations.
Lumifi helps companies in various industries cover compliance mandates such as HIPPA, HITECH, PCI DSS, Sarbanes-Oxley, EU GDPR, CCPA and more. Our Security Operations Center is certified SSAE 18 SOC 2 Type II and prepared to help clients of all industries meet their cybersecurity compliance requirements.

Breaking-Down Managed Detection and Response

Cybersecurity is a very important issue for any organization, and events can lead to a variety of negative outcomes; incidents often result in data theft, financial loss, and even damaged reputation. The cost of an attack is very high, which is why it's important to be prepared for the worst-case scenario. Managed Detection and Response is an outsourced array of services delivered by a Security Operations Center (SOC). These services include the detection of threats and a structured plan for mitigation and/or containment correlated over multiple cybersecurity products.


What Is Threat Hunting?

Threat hunting is the proactive approach cybersecurity organizations use to identify threats before they happen. The process includes proactively searching for adversarial activity within an organization’s computer network. A threat hunting and incident response team is responsible for finding and analyzing cybersecurity breaches and are also responsible for mitigating the risk of future breaches. Threat hunting teams work to identify potential threats before they become actual incidents which can be done through deep packet inspection, network forensics, and other techniques. They can find out what type of malware is being used or where a vulnerability exists on customers networks by proactively monitoring those networks with tools like PaloAlto Cortex, Carbon Black, Azure Sentinel to name just a few. As soon as they have identified an issue, they can take appropriate measures to resolve it before it becomes a full-fledged cybersecurity incident. Lumifi Cyber utilizes its home-grown automated threat hunting platform, ShieldVision which allows our SOC to be tool agnostic and provide proactive threat hunting to stay ahead of today cybersecurity threats.


What Is Incident Response?

Incident response (IR) is a process of responding to and containing an incident. It includes preparation, detection, containment, eradication, recovery and documentation of lessons learned. The purpose of incident response is to minimize the impact on the organization's business operations while reducing the risk of future incidents. Incident response teams should be prepared for all types of cyber threats which could include malware infections or ransomware attacks. These incidents disrupt systems and or steal sensitive data such as credit card numbers or personal information throughout the network. The goal of IR is to ensure that the data has not been compromised or exfiltrated and to mitigate the damage of future incidents.


Why Choose Lumifi?

Companies looking into MDR need to take a holistic view of their providers and their teams. Often, the least considered factor in the security provider selection process in the human element. While technology is an important factor in first-class MDR, Lumifi’s biggest differentiator is expertise. Lumifi provides the experience needed to stand out from the

saturated MDR market with leadership and management have decades of experience, stretching back to before MDR was even a term. Our approach to security is focused on a balance of custom solutions, client-centric partnerships, and proactive approaches. Lumifi has its own team of threat Content Developers, Web Developers, experienced Engineers, and seasoned Analysts to provide unparalleled proficiency. We not only utilize the industry’s leading threat intelligence platforms but also deliver personalized security recommendations through scheduled calls with a dedicated Engagement Manager. Lumifi leverages a proprietary platform called to provide leading AI Orchestration capabilities. This tool allows us to discover malicious activity within a client’s environment and then utilize that information to detect and respond across our client base who may be experiencing the same malicious activity. Our suite of services allows you peace of mind knowing your organization is being monitored around the clock by an industry-leading SOC which takes pride in its customer's security.


Simplifying SOAR

Security Orchestration, Automation and Response (SOAR) is an integrated, automated, and orchestrated set of services that provide a response to cyber incidents. It enables the rapid identification of cyber incidents and prevents them from escalating into major disasters.


SOAR was developed as a response to the need for automating incident responses and remediating security incidents. SOAR utilizes a framework that can be used by myriad organizations from small business owners to large enterprises. The process helps organizations automate security operations and enhance their security stance, integrating with tools such as SIEM, to provide a holistic view of the organization’s cybersecurity posture. It also provides a platform for Security Operations Centers (SOCs) to orchestrate the response to cyber-attacks in real time.


The Benefits of Implementing SOAR

Automating Repetitive Tasks

Human error in the workplace is the initial entry point for 95% of security incidents which inevitably leads to cloud environment compromises, according to Gartner. The high failure rate is due to repetitive manual tasks, which increase the likelihood of an oversight or mistake. Threat investigations and responses are performed faster and at scale across complex or expansive IT infrastructures with SOAR capabilities.


AI Enables New Security Initiatives to Protect Digital Infrastructure

The integration of machine learning in SOAR solutions enables the technology to dive deeperinto threats, analyze them, and gain contextual knowledge of their capabilities. The insight SOAR provides sets the foundation for fine-tuning incident response strategies to improve overall IT security.


Orchestrate Security Incidents Sent to The Expert

SOAR technology automates the orchestration process and routes security incidents to an analyst or expert with the best credentials to handle a particular incident. SOAR ensures teams get only the essential information needed to act, increasing the fidelity of threats and reducing the number of alerts. 


SOAR in a Nutshell

In short, the best cybersecurity orchestration and automation solutions provide the following:

At Lumifi, you can be certain that your organization is in capable and experienced hands, implementing the most modern SOAR techniques. Forward-moving and ever-evolving, we exist to help improve your security posture.

Contact Us Today to Learn More