Questions tagged [siem]
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
89
questions
1
vote
2
answers
2k
views
How to find why so many host are talking to an IP which is blacklisted
In my SIEM tool, I got multiple alerts for communication with malware sites from Palo Alto firewall.
I have seen many outbound communications from internal IPs toward IP: 74.217.31.51 having host name:...
2
votes
3
answers
2k
views
Gathering network device data for security detection purposes
I've finally gotten the networking team to start sharing data on the devices they manage (routers, firewalls, VPN, NAC, etc), so we can get better insight into our network and focus more on detection.
...
6
votes
3
answers
13k
views
SIEM Question: Excessive Firewall Denies / Rule Edit Question
We have a SIEM in our environment that we're currently tuning and part of that process is reducing the noise in our console.
One offense I've been working on is: Excessive Firewall Denies Between ...
4
votes
3
answers
20k
views
ELK Stack as a SIEM - First steps
I have experience with a couple of commercial SIEM solutions running on Security Operation Centers. I've been reading about companies using Splunk as SIEM. I'm a big fan of open source solutions and I ...
2
votes
3
answers
12k
views
How to detect port scan on SIEM within LAN or same Network?
Let's suppose a host machine in the client environment has been infected and its performing port scanning on other machine within the LAN or same Network without passing through Firewall:
On what ...
3
votes
1
answer
500
views
Event codes for Unix [closed]
I have to write alerts in SIEM Tool. Do we have any events code for Unix as we have in Windows.
If yes, where can I find that?
If not, on what basis can we write alerts for unix flavours or machines?...
1
vote
0
answers
560
views
Virtual Pentesting Lab on popular Enterprise level UTM and SIEM
I’m planning to add a new Penetration Testing Segment to my personal “Pen Lab”. It’ll be centered around Vulnerability Assessments /Penetration Testing on market leading Next-Gen Enterprise SIEM,UTM,...
-1
votes
1
answer
679
views
Recommendations for installing OSSIM
I'm an apprentice in web security and I was assigned with the task of researching about OSSIM. Bear with my infinite ignorance as I take my questions to the stack exchange gurus.
What I know so far:
...
2
votes
2
answers
6k
views
Log information for SIEM auditing in Linux
How can I know what all types of events generated by Linux. I can get this from the logs, but reading logs and noting ID's is very time consuming. All events might not be triggered.
I need this ...
2
votes
2
answers
1k
views
Best practices when classifying log messages severity in an SIEM
When deploying an SIEM solution, what is the best practice when classifying the severity of each event that is being sent from individual devices?
I understand that this may be a little bit ...
0
votes
1
answer
1k
views
SIEM v/s Network Forensic
when SIEM is already implemented in a enterprise network; does it not do all tasks and report like network forensic investigation? Or can we do away with SIEM and have only Network Forensic tools ...
4
votes
2
answers
2k
views
SIEM log pre-filtering question
As everyone knows each company wants to save as much money as possible. I have been tasked with pre-filtering logs on less important status/health messages before they get to the SIEM.
Does anyone ...
5
votes
2
answers
4k
views
Event monitoring for a home network
I'd like to utilise some of the free SIEM type products out there to increase the chances that I will detect attacks and compromises of any of the devices on my home network. Most of my home devices ...
245
votes
18
answers
31k
views
Passwords being sent in clear text due to users' mistake in typing it in the username field
Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing ...
1
vote
1
answer
2k
views
Weird issue with Firewall blocking NATed packets
From my SIEM I am seeing that a (we don't own the FW) Cisco ASA is blocking packets destined for the internal network (post NAT), here's what I'm seeing (IP addresses are faked due to security)
170....