SIEM Custom Correlation Rules

Viewing 3 reply threads
  • Author
    • #5624


      I’m glad to see that there was a recent discussion on SIEM and incident response. This question is somewhat different than that post. I’m currently using a SIEM and want to get the most out of our product.

      Our SIEM like all the others comes with a few canned correlation rules out of the box and I’m currently trying to get a good insight into our equipment through this solution.

      We’re currently pulling logs from almost all our networks/systems. I have some rules that I’d like to create for more insight into our network, but I’d like to hear from some of you that have worked on SIEM’s if you have any advice on particular methods.

      I’m using an IPS/IDS that also pulls into the SIEM, but I’d like to focus internally first since the perimeter has a harder shell than the internal network.

      I’m considering starting at the database level, authentication servers, etc..

      Any advice?

    • #35453

      I’m running out the door and don’t have time for a full reply, but your last line caught my attention.  Go have a heart-to-heart with your DB admins, preferably over the carbonated beverage of your choice, before you move too far into doing heavy DB monitoring.  Doing much more than the most basic monitoring on DBs can cause their performance to go into the toilet in a hurry.  You need to be very careful and possibly look at one of the dedicated database activity monitoring tools ala appsec inc/guardium/imperva.  Take it from me, if you scare/annoy the DB admins they will go straight up the chain and complain that “OMFG security is breaking the system!  All business will end!”  You’ll usually come out on the wrong end of that argument. Once you do it’s hard to get going again on those systems.

    • #35454

      Thank you my friend!!

      Actually the database admin has approached us and wants this done, so we’re kinda in a different boat.

      I’ve already scheduled a meeting for him to go over what they’re currently doing, what he’d like to see, and whats to be expected.


    • #35455

      You are in lucky. You have an open minded DBA who supports security as a necessity. In my point of view you should start with small things, such as:
      – Login Errors correlated with network attackers;
      – Stablish a network flow of data and start to understand your network, backup routines and other jobs;
      – Try to associate badge systems with network logins without VPN.
      – Associate system navigation with non-standard working hours.

      I believe with this brief rules, you can start doing your point.

      Hope it helps

Viewing 3 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?