cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

SIEM and logs from IIS

After spending a while configuring siem log collector on IIS servers and hooking the feed to the SIEM box I stumbled upon a question of why these logs are even needed... 

For example, these logs are not being flagged if there's an SQL injection in the URL field, auto rule is created for 308-200 event ID that just says the 200 OK. It populates and parses data nicelty etc, shows URL that was in the GET request etc, but that's about it, nothing is being flagged. I understand I can create alerts, but those are based on certain pattern, which wouldn't be feasible for getting one for SQL injections for example..

Just wondering, am I wrong on this one and may be there's some method to actually make use of these logs? Guys, what use are you making out of these logs? Any examples, case studies etc?

I was very surprised to see that mcafee SIEM doesn't really do that...

2 Replies
Reliable Contributor akerr
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: SIEM and logs from IIS

SIEMs don't do things like match SQL injection attempts or detect malware.  They collect logs from sources that do and give you a central location to view, alarm, and report on them.  What you want is an IPS/IDS to detect those types of events, which then feeds the SIEM, which can then alarm you, or take automated action when it detects these types of events.

 

 

Re: SIEM and logs from IIS

Sure, makes sense. IPS is the thing. However wouldn't it be vital/good/useful if a log analyser would parse through the logs that are getting fed into it? Coz SIEM could fill in the right fields so the parser is good, however it can't see SQL injections or anything suspecious in URL field (if we are talking about IIS)

It can, however, show high severety on the events that are getting from WMI logs, so how does that coinside?

Deep down I still believe that there must be some way of making more use out of IIS logs...

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community