Questions tagged [siem]
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
89
questions
1
vote
0
answers
47
views
How to analyze anomalous behavior in network having network log?
I have an assignment in which I have three logs from a network. One for control, from which I can define a typical behaviour pattern, one in which I have strange behaviour from accesses within the ...
1
vote
0
answers
76
views
Security Incident Response Tracking [closed]
Besides Security IR tracking & workflow that is available in SIEM platforms, what are other tools that can do this such as standalone products like ServiceNow SIR or Everbridge xmatters? I found ...
2
votes
1
answer
186
views
Insights into SIEM logging for most data exfiltration scenarios
I would like some input from security professionals on the data exfiltration scenarios commonly executed by ransomware gangs.
My area is system recovery & I am not knowledgeable about SIEM. I ...
5
votes
2
answers
1k
views
Traditional SIEM in Kubernetes environments
How do companies manage SIEM for Kubernetes environments? I am specifically interested in running CIS benchmarks and auditing OS events on the nodes.
I already have a Wazuh cluster and agents rolled ...
0
votes
2
answers
206
views
How do you detect attacks on Intel ME firmware and the AMD equivalent?
Since there are quite a few exploits of Intel ME firmware in the CPU (same applies to AMD), I would like to know what SIEM solutions are there for detecting these kinds of attacks.
To be more exact, I ...
2
votes
2
answers
114
views
Security Concern Opening Up Azure VM to AWS IPs
We have an IIS webserver hosted in Azure. We want to monitor this server via our cloud SIEM hosted in AWS. To monitor, there is a requirement to open outbound 443, on the VM, to a few hundred AWS ...
0
votes
3
answers
900
views
Why would a legitimate application run on a non-standard port?
Among the many "threats", I see on my SIEM, a non-standard port is a top one. It's always been a false positive, but I don't understand why this happens frequently?
2
votes
1
answer
2k
views
Windows Defender's MsMpEng.exe Access lsass.exe
I detected an activity last week on our SIEM system. The MsMpEng.exe which belongs to Windows Defender access lsass.exe. I search it on the net for learn is it a normal acitivty or is it anormal then ...
2
votes
0
answers
938
views
SVCHOST Executed without any arguements [closed]
Our SIEM has a Sigma rule that alerts when svchost is launched without any arguments. The logs are from a domain controller which unfortunately I don't have access to to verify. I will be reaching ...
2
votes
2
answers
367
views
Threat Hunting Vs SIEM use cases
Lately I'm confused about threat hunting vs SIEM Use case creation.
The threat hunting resources I have read can be created as a SIEM use case. Then why should I perform it manually in the name of ...
0
votes
1
answer
392
views
Can SIEMs correlate logs from different sources?
Currently, there are too few ways to monitor security issues in the current company. Security solutions such as NDR, IPS, and WAF exist, but since there is no SIEM, the log must be checked on the ...
0
votes
1
answer
154
views
Are sequential patterns used in practice?
I study computer security and I read articles about the potential usage of sequential pattern mining in IDPS products:
Database intrusion detection using role and user behavior based risk assessment
...
1
vote
1
answer
154
views
SIEM-like tool for pcaps [closed]
Is there any tool that accepts a packet capture file as input and displays all the network traffic in a similar way to how a SIEM displays log information? I'm looking for a summary of the ports and ...
0
votes
1
answer
138
views
Can security devices (e.g. Snort, Splunk, WAFs, etc.) generate alerts when they aren't working as designed?
APRA's CPS 234 regulation section 56 states:
An APRA-regulated entity would typically deploy appropriate
information security technology solutions which maintain the security
of information assets. ...
1
vote
2
answers
506
views
What config files and logs files of a Linux system (CentOS 7) deserve to be monitored by a SIEM?
I am not a security expert (I am more a software developer) and I am working on a project related to a SIEM installation (Wazuh). This installation is only a demo for a customer, in a second time a ...