SIEM & Event / Alert Collection

This topic contains 3 replies, has 3 voices, and was last updated by  salil 8 years, 9 months ago.

  • Author
    Posts
  • #6151
     Lubinski 
    Participant

    In almost every network monitoring or SIEM model there is an initial phase of “planning”. This would be where you want to scope out what you want to collect from where. The Securosis guys stated in their NSO Quant report “Collect alerts and log records”.

    I have a basic list of things that fall into this category, logins, reboots, av process crashes… and some more simple things to gather. I feel like I am missing a chunk of things to grab. What do you guys correlate or collect?

  • #38465
     yatz 
    Participant

    I’m planning a SIEM project for later this year so i’m interested in y’all’s opinions too (is y’all’s a word?)  🙂

    There has to be best practices out there.

  • #38466
     Lubinski 
    Participant

    Maybe I am looking at it from too big of a perspective and should try to break it down into domains (workstations, network infra, servers).

    The issue I have is that I am aware that I should be monitoring SQL logs for “something”. I just don’t know what that something is quite yet because I am no SQL guru. The same can be said for other technologies and pieces of equipment.

  • #38467
     salil 
    Participant

    Hi,

    Check the blog from Anton. http://chuvakin.blogspot.com/

    He has many posts on log management and seim.

    I have found that if you start logging things that you know and understand you are able to build up on it. If you start with log everything and start getting rid of the noise you end up with a mess.

    Cheers,
    Salil

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?