SIEM Service - zakharb/labshock GitHub Wiki

Security Information and Event Management in Labshock

SIEM centralizes log collection, correlation, and alerting for OT networks. It helps detect threats across PLCs, SCADA systems, and other industrial assets by analyzing logs and patterns from various sources.

Labshock’s SIEM integration improves incident detection, threat hunting and forensic analysis in ICS environments.

SIEM Features in Labshock:

  • Centralized Log Collection – Aggregates logs from PLCs, HMIs, firewalls, IDS, etc.
  • Correlation & Alerting – Detects multi-step attacks and policy violations
  • Search & Investigation – Query logs to reconstruct incidents
  • Dashboards & Reports – Visualize OT-specific threat activity



🟨 Collectors setup

You need first enable log forwarding in Tidal Collectors:

  • in OT Collector in settings enter IP address of DMZ Collector:
  • in DMZ Collector in Sources check and enable OT Collector:
  • in DMZ Collector in settings enter IP address of SIEM:



🟨 SIEMs

You can start and connect to SIEMs via IT page.

🔶 Setup

You need manually start service via portal

  • login to portal and go to IT page
  • hover to SIEM service and press start button
  • wait for start (first run can be longer)

🔶 Connect

You can connect to SIEM:

  • click connect via Portal page



🟨 Splunk

Splunk is a powerful SIEM platform designed to collect, index, and analyze log data from across your entire OT environment. Unlike traditional log management tools, Splunk provides advanced search capabilities, real-time alerting, and customizable dashboards tailored to industrial networks. Its flexible architecture allows you to ingest data from PLCs, SCADA systems, IDS tools, and custom Labshock services—enabling deep visibility into events and behaviors across your ICS infrastructure. With Splunk, you can detect security incidents, investigate anomalies, and gain actionable insights to protect and harden your OT network.

🔶 Login

When Splunk is started you can login:

  • Username: admin
  • Password: labshock

🔶 Add Data Source

  • go to Settings/Data Sources
  • add new source
  • select udp
  • write port 514
  • select syslog type

🔶 Search for Events

Use Splunk’s search App to filter logs

  • go to Search app
  • write in search bar
source="udp:514" sourcetype="syslog"

🔶 Create Alert

To create Alert you must:

  • search and find events in Search tab
  • click "Save as" and select a "alert"
  • fill fields and click "save"

logo

⚠️ **GitHub.com Fallback** ⚠️