Moved to Business > Event Management (SIEM) for support purposes.
What data sources are you getting events from?
Any plans for more data sources to be added to SIEM?
We have windos servers, firewalls, NIPS, HIPS, Arbor, PIM, Web servers, WIFI devices etc.
As of now no plan to integrate more devices.
Very briefly, I'll give you an idea of how I work with folks to help them develop correlation rules. The first is to realize that the SIEM is a part of a larger process. The steps we worked through to develop this process are:
1. Identified the first goal: what are we protecting?
-Systems with sensitive data
-Systems responsible for operational posture
-Systems that must be available
2. What are the risks against these systems?
-Denial of service
- We just made our "threat model".
3. How are these risks mitigated?
- Just built a "Security posture".
4. Now we add a SIEM that includes different correlation methods.
- Over 200 out of the box correlation rules
- Create custom correlation rules that alert directly on all of the threats that you identified and mitigated in the steps above.
- Many correlation rules will never fire due to mitigations. They are in place to alarm when things don't go as expected.
-Beyond that, use anomaly baselines, risk-based correlation and heavy use of automated threat feeds to focus on the relevant threats.
Hope this helps.