After spending a while configuring siem log collector on IIS servers and hooking the feed to the SIEM box I stumbled upon a question of why these logs are even needed...
For example, these logs are not being flagged if there's an SQL injection in the URL field, auto rule is created for 308-200 event ID that just says the 200 OK. It populates and parses data nicelty etc, shows URL that was in the GET request etc, but that's about it, nothing is being flagged. I understand I can create alerts, but those are based on certain pattern, which wouldn't be feasible for getting one for SQL injections for example..
Just wondering, am I wrong on this one and may be there's some method to actually make use of these logs? Guys, what use are you making out of these logs? Any examples, case studies etc?
I was very surprised to see that mcafee SIEM doesn't really do that...
SIEMs don't do things like match SQL injection attempts or detect malware. They collect logs from sources that do and give you a central location to view, alarm, and report on them. What you want is an IPS/IDS to detect those types of events, which then feeds the SIEM, which can then alarm you, or take automated action when it detects these types of events.
Sure, makes sense. IPS is the thing. However wouldn't it be vital/good/useful if a log analyser would parse through the logs that are getting fed into it? Coz SIEM could fill in the right fields so the parser is good, however it can't see SQL injections or anything suspecious in URL field (if we are talking about IIS)
It can, however, show high severety on the events that are getting from WMI logs, so how does that coinside?
Deep down I still believe that there must be some way of making more use out of IIS logs...
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.