A SIEM or Security Information and Event Management is only as good as its logs. People can think of logs as the fuel for the engine. Without logs (log management), the SIEM will never be useful. Selecting the right types of logs to ingest in your SIEM is a complex undertaking.

On one hand, it is easy to say “Log it all!” but you will inevitably reach the glass ceiling of your SIEM, which will either be your licensing or you will cap the performance of the SIEM hardware.

Furthermore, each SIEM deployment should have in place a periodic log review to make sure the logs you are ingesting are useful to your deployment. There is no need to ingest logs that aren’t useful to correlating events, as there are performance costs. SIEM licensing is also usually a number based on logs/sec.

After we decide which areas of the environment provide the most value to the SIEM, the next steps are to build rules. Rules evaluate the logs for predefined conditions.

If the conditions are true, the rule is said to “fire” and bring an alert or alarm to the security monitoring team’s attention. It is impossible for any human to evaluate the billions of logs a day a large scale SIEM deployment will ingest, so rules are a way to test these logs automatically.

When creating rules, we should first define the logic that you want to see fire. For instance, if we are evaluating for “multiple account lockouts,” we would want to define how many times an account would be locked out before raising an alarm to the security monitoring team.

When the logic of the conditions that we would like to meet has been agreed upon, it is not suggested to put this rule (Read more...)