All Questions
5
questions
0
votes
3
answers
900
views
Why would a legitimate application run on a non-standard port?
Among the many "threats", I see on my SIEM, a non-standard port is a top one. It's always been a false positive, but I don't understand why this happens frequently?
1
vote
2
answers
692
views
Fortigate Creating Millions of DNS events to standard domains [closed]
I am trying to tune our SIEM and noticed that we are receiving millions of DNS records every day from the same domains.
These are:
update.microsoft.com
swscan.apple.com
softwareupdate.vmware.com
...
3
votes
2
answers
1k
views
How IDS and Firewall Logs are aggregated and feed aggregated log to SIEM?
I am studying SIEM tools.
Firewall logs will be different from IDS logs and even from Antivirus logs.
How can log aggregation take place?
1
vote
2
answers
2k
views
How to find why so many host are talking to an IP which is blacklisted
In my SIEM tool, I got multiple alerts for communication with malware sites from Palo Alto firewall.
I have seen many outbound communications from internal IPs toward IP: 74.217.31.51 having host name:...
1
vote
1
answer
2k
views
Weird issue with Firewall blocking NATed packets
From my SIEM I am seeing that a (we don't own the FW) Cisco ASA is blocking packets destined for the internal network (post NAT), here's what I'm seeing (IP addresses are faked due to security)
170....