Questions tagged [siem]
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
89
questions
1
vote
0
answers
47
views
How to analyze anomalous behavior in network having network log?
I have an assignment in which I have three logs from a network. One for control, from which I can define a typical behaviour pattern, one in which I have strange behaviour from accesses within the ...
1
vote
0
answers
76
views
Security Incident Response Tracking [closed]
Besides Security IR tracking & workflow that is available in SIEM platforms, what are other tools that can do this such as standalone products like ServiceNow SIR or Everbridge xmatters? I found ...
2
votes
1
answer
186
views
Insights into SIEM logging for most data exfiltration scenarios
I would like some input from security professionals on the data exfiltration scenarios commonly executed by ransomware gangs.
My area is system recovery & I am not knowledgeable about SIEM. I ...
5
votes
2
answers
1k
views
Traditional SIEM in Kubernetes environments
How do companies manage SIEM for Kubernetes environments? I am specifically interested in running CIS benchmarks and auditing OS events on the nodes.
I already have a Wazuh cluster and agents rolled ...
0
votes
2
answers
206
views
How do you detect attacks on Intel ME firmware and the AMD equivalent?
Since there are quite a few exploits of Intel ME firmware in the CPU (same applies to AMD), I would like to know what SIEM solutions are there for detecting these kinds of attacks.
To be more exact, I ...
2
votes
2
answers
114
views
Security Concern Opening Up Azure VM to AWS IPs
We have an IIS webserver hosted in Azure. We want to monitor this server via our cloud SIEM hosted in AWS. To monitor, there is a requirement to open outbound 443, on the VM, to a few hundred AWS ...
0
votes
3
answers
900
views
Why would a legitimate application run on a non-standard port?
Among the many "threats", I see on my SIEM, a non-standard port is a top one. It's always been a false positive, but I don't understand why this happens frequently?
2
votes
1
answer
2k
views
Windows Defender's MsMpEng.exe Access lsass.exe
I detected an activity last week on our SIEM system. The MsMpEng.exe which belongs to Windows Defender access lsass.exe. I search it on the net for learn is it a normal acitivty or is it anormal then ...
2
votes
0
answers
938
views
SVCHOST Executed without any arguements [closed]
Our SIEM has a Sigma rule that alerts when svchost is launched without any arguments. The logs are from a domain controller which unfortunately I don't have access to to verify. I will be reaching ...
2
votes
2
answers
367
views
Threat Hunting Vs SIEM use cases
Lately I'm confused about threat hunting vs SIEM Use case creation.
The threat hunting resources I have read can be created as a SIEM use case. Then why should I perform it manually in the name of ...
0
votes
1
answer
392
views
Can SIEMs correlate logs from different sources?
Currently, there are too few ways to monitor security issues in the current company. Security solutions such as NDR, IPS, and WAF exist, but since there is no SIEM, the log must be checked on the ...
0
votes
1
answer
154
views
Are sequential patterns used in practice?
I study computer security and I read articles about the potential usage of sequential pattern mining in IDPS products:
Database intrusion detection using role and user behavior based risk assessment
...
1
vote
1
answer
154
views
SIEM-like tool for pcaps [closed]
Is there any tool that accepts a packet capture file as input and displays all the network traffic in a similar way to how a SIEM displays log information? I'm looking for a summary of the ports and ...
0
votes
1
answer
138
views
Can security devices (e.g. Snort, Splunk, WAFs, etc.) generate alerts when they aren't working as designed?
APRA's CPS 234 regulation section 56 states:
An APRA-regulated entity would typically deploy appropriate
information security technology solutions which maintain the security
of information assets. ...
1
vote
2
answers
506
views
What config files and logs files of a Linux system (CentOS 7) deserve to be monitored by a SIEM?
I am not a security expert (I am more a software developer) and I am working on a project related to a SIEM installation (Wazuh). This installation is only a demo for a customer, in a second time a ...
0
votes
2
answers
958
views
Full packet capture vs SIEM
Instead of collecting various logs into the SIEM, can a full packet capture solution be better in terms of having to manage so many log sources?
3
votes
0
answers
196
views
Essential / popular TAXII feeds [closed]
TAXII feeds are a great addition to a monitoring solution such as a SIEM. However, to my knowledge, there are only three distinct openly available providers:
Hail A TAXII
OTX
Limo
What other threat ...
0
votes
2
answers
189
views
How Vulnerability scanners assign CVE codes to Vulnerability found
I just want to know how CVE codes are assigned by the vulnerability scanners, while it found the particular vulnerability.
1
vote
1
answer
2k
views
Where can I download sample security log file archives?
I am volunteering to teach some folks to learn Splunk to analyze logs by using SIEM. Therefore I will need some public log file archives such as auditd, secure.log, firewall, webapp logs, which I can ...
2
votes
2
answers
3k
views
Tracking Down Failed Logins
I've recently implemented a SIEM solution, and am now able to see a large amount of failed login attempts from legitimate users. In fact, it's such high volume that my SIEM is correlating them to be ...
3
votes
2
answers
3k
views
Windows Kerberos Pre-Auth Failed (4771)
Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?
If you don't get logs from all endpoints and rely on Domain ...
-5
votes
1
answer
272
views
SIEM false negatives [closed]
The company I work with has a SIEM which detects when you try to install any software in any workstation. If one of the employees try to install bad software, the SIEM triggers an alert. To circumvent ...
1
vote
0
answers
571
views
How do use ArcSight ESM to monitor powershell logs? [closed]
I have read mixed reviews, our team within our DoD sector suggest that ingestion the logs directly into the SIEM platform would be best and I feel that having a third party tool with signatures, look ...
1
vote
1
answer
287
views
SIEM: Correlating remote logons to associate origin and target user
How is it possible to correlate or detect user logons, e.g. via ssh/rdp, to associate the origin user and target user?
My use case is to know who actually (personal/identifiable) used a technical ...
1
vote
2
answers
692
views
Fortigate Creating Millions of DNS events to standard domains [closed]
I am trying to tune our SIEM and noticed that we are receiving millions of DNS records every day from the same domains.
These are:
update.microsoft.com
swscan.apple.com
softwareupdate.vmware.com
...
4
votes
2
answers
2k
views
Datasets dedicated for SIEM systems [closed]
I am looking for data sets published by researchers or freelancers which can be used for the purpose of SIEM testing and evaluations. The goal is to test the classification (and later correlation) for ...
0
votes
1
answer
212
views
Enumerating hosts running Elastic Stack
I am currently working on a project where I need to find a host running a SIEM solution. From my research I am fairly confident that the host is running Elastic Stack, probably within another solution ...
1
vote
1
answer
830
views
Manage Logs of Excessive Member and Server Authentication Failures
Currently, in our SIEM environment, we are attempting to reduce noise and any non-actionable items. One of the most frequent items we receive on a weekly basis is a report based on excessive member ...
3
votes
2
answers
1k
views
How IDS and Firewall Logs are aggregated and feed aggregated log to SIEM?
I am studying SIEM tools.
Firewall logs will be different from IDS logs and even from Antivirus logs.
How can log aggregation take place?
0
votes
1
answer
344
views
What is the future of SIEM tools? [closed]
Do SIEM tools have a future or will everything move to 100% automation? Will an analyst need to monitor and analyse the collected data in the future or will this be automated? How will SIEMs tools be ...