I'm glad to see that there was a recent discussion on SIEM and incident response. This question is somewhat different than that post. I'm currently using a SIEM and want to get the most out of our product.
Our SIEM like all the others comes with a few canned correlation rules out of the box and I'm currently trying to get a good insight into our equipment through this solution.
We're currently pulling logs from almost all our networks/systems. I have some rules that I'd like to create for more insight into our network, but I'd like to hear from some of you that have worked on SIEM's if you have any advice on particular methods.
I'm using an IPS/IDS that also pulls into the SIEM, but I'd like to focus internally first since the perimeter has a harder shell than the internal network.
I'm considering starting at the database level, authentication servers, etc..