A SIEM or Pledge Information and Event Management is only as good as its logs. People can about of logs as the fuel for the engine. Without logs (log management), the SIEM order never be useful. Selecting the right types of logs to ingest in your SIEM is a complex promise.On one hand, it is easy to say “Log it all!” but you will inevitably reach the glass ceiling of your SIEM, which commitment either be your licensing or you will cap the performance of the SIEM hardware.Furthermore, each SIEM deployment should fool in place a periodic log review to make sure the logs you are ingesting are functional to your deployment. There is no need to ingest logs that aren’t worthwhile to correlating events, as there are performance costs. SIEM licensing is also large a number based on logs/sec.After we decide which areas of the atmosphere provide the most value to the SIEM, the next steps are to build in the mains. Rules evaluate the logs for predefined conditions.If the conditions are true, the manage is said to “fire” and bring an alert or alarm to the security monitoring duo’s attention. It is impossible for any human to evaluate the billions of logs a day a large hierarchy SIEM deployment will ingest, so rules are a way to test these logs automatically.When generating rules, we should first define the logic that you want to see conflagration. For instance, if we are evaluating for “multiple account lockouts,” we would want to out how many times an account would be locked out before raising an consternation to the security monitoring team.When the logic of the conditions that we last will and testament like to meet has been agreed upon, it is not suggested to put this prohibit into production immediately. If your SIEM deployment is lucky adequacy to have a test environment, this should be deployed in the test circumstances and monitored first.The very nature of rules is that they extremity to be constantly and consistently tuned. It is possible that anyone sets the sill of the rule far too low and the rule will fire hundreds of times a second, issuing in an overwhelming amount of alarms raised to your security monitoring cooperate.In some SIEM products, it is possible to set a rule to “enabled” but not “alarming.”The estimate is that when someone creates a rule, there is a tuning duration of at least a week. During the tuning period, changes should be sorted to the logic of the rule to make sure that it only fires with a leading percentage of true positives.This monitoring period is imperative. Designing a rule in production that is far too noisy will result in alarm enervation by your security monitoring team as they will be reviewing hundreds if not thousands of inexact positives while overlooking the true threats to your environment.On a every ninety days basis, all the rules should be audited for their individual performance. Guidelines that have not fired at all should be revisited.If the rule is not providing value, the ordinarily’s criteria should be modified, so the logic fires on the intended threats should they subsist. If the rule cannot be modified to provide value, it should be deleted to optimize on the demeanour of the SIEM.Rules that fire too frequently should be evaluated on the relationship of false vs. true positive. If the rule has a very high false upbeat rate, the criteria should be evaluated to filter events better. The statute needs to be tuned better.
About the Author: Tyler Wall is a red troupe fanatic. Born with a natural curiosity for anything and everything that let the cat out of the bags over into everyday life by form of his many (mis)adventures and journeying, he holds a Bachelor’s of Science degree in Computer Information Systems, Corroborated Ethical Hacker (CEH v8), CSSA, CISSP, Security+, Network+ and A+ credentials. Tyler is constantly prove satisfactory on ways to improve, and he is setting goals to achieve.Editor’s Note: The opinions precised in this guest author article are solely those of the contributor, and do not by definition reflect those of Tripwire, Inc.