Integrated Intrusion Detection System with Security Information and Event Management

Main Article Content

Noor R. Obeid

Abstract

                The blistering development of cyber threats and the growth in the sophistication of countermeasures have made conventional security measures inadequate to protect the contemporary network infrastructures. This paper introduces the design and deployment of an all-encompassing Security Information and Event Management (SIEM) solution deployed in a simulated Security Operations Center (SOC) setup. The targeted architecture is based on a multi-layered security stack, which includes Elastic Stack (ELK), Wazuh, Suricata, and Snort deployed on a virtualized network topology with heterogeneous endpoints, such as Windows Server 2019, Windows 10, and vulnerable legacy systems (Metasploitable 2 and 3), as well as coordinated by a PfSense firewall with segmented VLAN It enables centralized log aggregation, real-time event correlation, anomaly detection and automated alerting by accepting telemetry of both host-based and network-based intrusion detection and prevention systems (HIDS/HIPS and NIDS/NIPS). A controlled adversarial simulation was performed to test detection and response capabilities with industry-standard offensive tools, including Nmap, Metasploit Framework, SQLMap, hping3, and Atomic Red Team - which includes attack methods that are mapped to the MITRE ATT&CK framework (T1003, T1055, T1555), and network-layer attacks like SYN flooding, SQL injection, and Cross The findings of the experiments prove that the integrated SIEM solution was able to aggregate more than 61,000 security events, generate 511 classified alerts of different severity, and identify malware, unauthorized access attempts, credential dumping behavior and process injection behavior with high fidelity. The Wazuh EDR module had good active detection features, such as automated threat elimination and file integrity checks. In addition, the detection rule engine on Elastic Security has been able to perform more than 104,000 rule checks with a success rate of 49% among 1,007 enabled detection rules. The results confirm that open-source SIEM systems, correctly installed and configured, are a realistic and affordable alternative to more expensive tools, delivering an enterprise-level visibility and threat-detection system to organizations of all sizes. The future directions of the research are the addition of the machine learning-based anomaly detection, behavioral analytics, and the integration with the Security Orchestration, Automation, and Response (SOAR) to make the incident response more efficient.


 


 


 


 


Background:


Threats to cybersecurity are ever increasing in complexity and occurrence, making conventional security controls inadequate to identify more advanced attacks and evasive malware. Companies are increasingly using integrated security architectures to ensure visibility on a distributed network environment.


 


Materials and Methods:


VMware Workstation Pro was used to create a virtualized home laboratory, which consisted of several virtual machines on different VLANs. The deployment of open-source tools, including Elastic Stack (ELK), Wazuh, Suricata, and Snort were used and connected to create a full SIEM/IDS/EDR environment. Metasploit Framework, Hping3 and Atomic Red Team were used to carry out simulated attacks.


 


Results:


The combined system was able to gather logs of all the monitored virtual machines. Wazuh identified and graphically visualized numerous MITRE ATT&CK methods (T1003, T1055, T1555) and Elastic SIEM aggregated more than 61,000 events and issued 511 actionable notifications. The vulnerability scanner used by Wazuh found thousands of CVEs among monitored endpoints.


 


Conclusion:


Open-source SIEM, IDS/IPS, and EDR tools integrated can offer a low-cost but technically sound cybersecurity solution. The suggested system proves to be practically viable in terms of deployment in education, as well as small-to-middle enterprise settings, with multi-layered detection coverage that minimizes security blind spots considerably.

Article Details

Section

Articles

How to Cite

[1]
“Integrated Intrusion Detection System with Security Information and Event Management ”, JUBPAS, vol. 34, no. 2, pp. 432–444, Jun. 2026, doi: 10.29196/jubpas.v34i2.6636.

Similar Articles

You may also start an advanced similarity search for this article.