Questions tagged [siem]
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
89
questions
0
votes
2
answers
958
views
Full packet capture vs SIEM
Instead of collecting various logs into the SIEM, can a full packet capture solution be better in terms of having to manage so many log sources?
3
votes
0
answers
196
views
Essential / popular TAXII feeds [closed]
TAXII feeds are a great addition to a monitoring solution such as a SIEM. However, to my knowledge, there are only three distinct openly available providers:
Hail A TAXII
OTX
Limo
What other threat ...
0
votes
2
answers
189
views
How Vulnerability scanners assign CVE codes to Vulnerability found
I just want to know how CVE codes are assigned by the vulnerability scanners, while it found the particular vulnerability.
1
vote
1
answer
2k
views
Where can I download sample security log file archives?
I am volunteering to teach some folks to learn Splunk to analyze logs by using SIEM. Therefore I will need some public log file archives such as auditd, secure.log, firewall, webapp logs, which I can ...
2
votes
2
answers
3k
views
Tracking Down Failed Logins
I've recently implemented a SIEM solution, and am now able to see a large amount of failed login attempts from legitimate users. In fact, it's such high volume that my SIEM is correlating them to be ...
3
votes
2
answers
3k
views
Windows Kerberos Pre-Auth Failed (4771)
Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?
If you don't get logs from all endpoints and rely on Domain ...
-5
votes
1
answer
272
views
SIEM false negatives [closed]
The company I work with has a SIEM which detects when you try to install any software in any workstation. If one of the employees try to install bad software, the SIEM triggers an alert. To circumvent ...
1
vote
0
answers
571
views
How do use ArcSight ESM to monitor powershell logs? [closed]
I have read mixed reviews, our team within our DoD sector suggest that ingestion the logs directly into the SIEM platform would be best and I feel that having a third party tool with signatures, look ...
1
vote
1
answer
287
views
SIEM: Correlating remote logons to associate origin and target user
How is it possible to correlate or detect user logons, e.g. via ssh/rdp, to associate the origin user and target user?
My use case is to know who actually (personal/identifiable) used a technical ...
1
vote
2
answers
692
views
Fortigate Creating Millions of DNS events to standard domains [closed]
I am trying to tune our SIEM and noticed that we are receiving millions of DNS records every day from the same domains.
These are:
update.microsoft.com
swscan.apple.com
softwareupdate.vmware.com
...
4
votes
2
answers
2k
views
Datasets dedicated for SIEM systems [closed]
I am looking for data sets published by researchers or freelancers which can be used for the purpose of SIEM testing and evaluations. The goal is to test the classification (and later correlation) for ...
0
votes
1
answer
212
views
Enumerating hosts running Elastic Stack
I am currently working on a project where I need to find a host running a SIEM solution. From my research I am fairly confident that the host is running Elastic Stack, probably within another solution ...
1
vote
1
answer
830
views
Manage Logs of Excessive Member and Server Authentication Failures
Currently, in our SIEM environment, we are attempting to reduce noise and any non-actionable items. One of the most frequent items we receive on a weekly basis is a report based on excessive member ...
3
votes
2
answers
1k
views
How IDS and Firewall Logs are aggregated and feed aggregated log to SIEM?
I am studying SIEM tools.
Firewall logs will be different from IDS logs and even from Antivirus logs.
How can log aggregation take place?
0
votes
1
answer
344
views
What is the future of SIEM tools? [closed]
Do SIEM tools have a future or will everything move to 100% automation? Will an analyst need to monitor and analyse the collected data in the future or will this be automated? How will SIEMs tools be ...