Questions tagged [siem]
Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
89
questions
245
votes
18
answers
31k
views
Passwords being sent in clear text due to users' mistake in typing it in the username field
Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing ...
16
votes
5
answers
4k
views
SIEM system, what are the benefits?
Each person in the company has a unique username/password, and nobody should log in with his username/password but him.
I want a program that would inspect the logs that includes a list of all the ...
16
votes
3
answers
2k
views
What techniques and tools do you use to relate security events?
You have central logging going, detailed app logging/alerting (e.g. modsec), network based security alerting (e.g. snort), and whatever else feeding your observation deck.
Do you have any cool ...
12
votes
3
answers
750
views
Do any of you who are *really* dealing with APT have any recommended intelligence feeds for SIEM/IDS/etc?
This question about Advanced Persistent Threats (APT) was posted by Rich Mogull on twitter. I copied it here because I'm curious too.
Rich posted these follow-up tweets:
And by APT I mean real ...
8
votes
2
answers
712
views
What features do you look for in an Enterprise Log Management solution?
This question is for IT Pros, and people who manage a company's infrastructure. Developers should see this related answer for tools geared for them.
What are your requirements for such a Event Log ...
7
votes
4
answers
23k
views
What is the difference between a SIEM and a SOC?
What is the difference between a SIEM (Security Information and Event Management) and a SOC (Security Operations Centre)?
Do they work together? And if independent when to use which?
7
votes
2
answers
2k
views
How do I track bash history cleanup?
I'd like to catch events when bash history is cleaned or some lines are deleted. Are there any best practices or auditing tools with this capability?
7
votes
1
answer
2k
views
Security Operation Center (SOC) [closed]
I am looking for resources and details on establishing a security operation center (SoC) or network operation center (NoC) based on ITIL or any other applicable regulations. Where can I find good ...
7
votes
2
answers
1k
views
SIEM: Monitoring End Users and DHCP IP assigning issue
I want to monitor my end users activity for which I have selected Alien Vault as my SIEM solution. Now, when I see logs coming in and I see malicious activity at a certain IP (e.g 10.10.10.4) with ...
6
votes
2
answers
663
views
Enterprise security incident response and detection
I have a decent understand and experience with securing and setting up smaller networks, although absolutely no enterprise experience. I understand at such a large scale there are different ...
6
votes
3
answers
13k
views
SIEM Question: Excessive Firewall Denies / Rule Edit Question
We have a SIEM in our environment that we're currently tuning and part of that process is reducing the noise in our console.
One offense I've been working on is: Excessive Firewall Denies Between ...
5
votes
2
answers
4k
views
SIEM and Windows Event Logs
When considering what Windows event logs to incorporate into a SIEM solution, should I be looking at just the Security event logs, or all categories of event log? How useful are the other categories ...
5
votes
2
answers
1k
views
Traditional SIEM in Kubernetes environments
How do companies manage SIEM for Kubernetes environments? I am specifically interested in running CIS benchmarks and auditing OS events on the nodes.
I already have a Wazuh cluster and agents rolled ...
5
votes
2
answers
731
views
Incident Responders: Can you give some examples of Incidents / types of incidents that are suitable for fully or partly automated response? [closed]
You setup security monitoring - either a full commercial SIEM/SOC or something home-cooked (e.g., rsyslog -> OSSIM / MozDef / Splunk / ...).
You also setup some rules so that some event triage is ...
5
votes
2
answers
4k
views
Event monitoring for a home network
I'd like to utilise some of the free SIEM type products out there to increase the chances that I will detect attacks and compromises of any of the devices on my home network. Most of my home devices ...