Badges

User Activity

2 days ago
Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage. Typical SOAR playbooks automate the…
22 days ago
It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but…
27 days ago
SIEM vs UEBA 1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data. 2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time…
27 days ago
@Shibu Babuchandran Splunk gets expensive as your size grows. It's the St. Bernard puppy.   ELK Metron, Greylog are the common entry log collectors if you have a minimal budget. But I would suggest small organizations should look to partner with an MSSP for managed SOC/SIEM…
27 days ago
As a rule, a SIEM correlation should:  1) Reduce events by 99.99% - raw events to correlations 2) Impact system performance by <1%  3) Produce Correlated Threats with >35% true positive rate on investigation - 33% are usually false positives or misconfigurations (not…
27 days ago
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.   We use NXLOG at Securonix.  I would suggest if you need to deploy…
About 1 month ago
There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.  They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.  Success After Fail is another common…

Answers

2 days ago
IT Alerting and Incident Management
27 days ago
Security Information and Event Management (SIEM)
27 days ago
Security Information and Event Management (SIEM)
27 days ago
Security Information and Event Management (SIEM)
About 1 month ago
Security Information and Event Management (SIEM)

Interesting Projects and Accomplishments