Questions tagged [siem]
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
11
questions with no upvoted or accepted answers
3
votes
2
answers
3k
views
Windows Kerberos Pre-Auth Failed (4771)
Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?
If you don't get logs from all endpoints and rely on Domain ...
2
votes
2
answers
114
views
Security Concern Opening Up Azure VM to AWS IPs
We have an IIS webserver hosted in Azure. We want to monitor this server via our cloud SIEM hosted in AWS. To monitor, there is a requirement to open outbound 443, on the VM, to a few hundred AWS ...
2
votes
0
answers
473
views
How can XML External Entity attacks be detected?
XML External Entity attacks have been identified as an OWASP top 10 web application vulnerability. Whilst there seems to be extensive information on what an XML external entity attack is and how it ...
1
vote
0
answers
47
views
How to analyze anomalous behavior in network having network log?
I have an assignment in which I have three logs from a network. One for control, from which I can define a typical behaviour pattern, one in which I have strange behaviour from accesses within the ...
1
vote
0
answers
183
views
Machine reaching out to Microsoft IP address using NBTstat command
I have limited logs for this event but the IPS says its a NBTstat query outbound over UDP port 137 to a Microsoft owned IP address.
Should UDP 137 ever reach out externally?
This is about all the ...
1
vote
0
answers
134
views
Would extracting logs from a European server to a US SIEM system cause privacy legal concerns?
Looking for an answer related to the European "General Data Protection Regulation." laws.
1
vote
0
answers
472
views
How to create alerts for Watchgurd firewall in SIEM
I'm working in a SOC (Security Operation Center) where we use a WatchGuard firewall in our customer's environment.
We currently create alerts for other devices (SonicWall,Cisco ASA) based on event ...
1
vote
1
answer
1k
views
How to test DOS attacks through Router?
One of my clients has been told by their ISP that a DoS attack has happened and they have provided the logs of Juniper router. What is the criteria in routers on which we can confirm DoS attack is ...
1
vote
0
answers
560
views
Virtual Pentesting Lab on popular Enterprise level UTM and SIEM
I’m planning to add a new Penetration Testing Segment to my personal “Pen Lab”. It’ll be centered around Vulnerability Assessments /Penetration Testing on market leading Next-Gen Enterprise SIEM,UTM,...
1
vote
2
answers
506
views
What config files and logs files of a Linux system (CentOS 7) deserve to be monitored by a SIEM?
I am not a security expert (I am more a software developer) and I am working on a project related to a SIEM installation (Wazuh). This installation is only a demo for a customer, in a second time a ...
0
votes
1
answer
138
views
Can security devices (e.g. Snort, Splunk, WAFs, etc.) generate alerts when they aren't working as designed?
APRA's CPS 234 regulation section 56 states:
An APRA-regulated entity would typically deploy appropriate
information security technology solutions which maintain the security
of information assets. ...