1 Reply Latest reply on Mar 25, 2015 3:40 PM by rth67

    Need Few guidance for SIEM

    secureinfofirst

      Hi ,

       

      Need few guidance regarding SIEM

       

      1] we have agent running on each windows server and we are managing it using ePO ... is it right way ? .. what is the best practice for collecting windows logs...

       

      Like in Arcsight , where one collector for multiple machines...

       

      2] Most of the time we face issue of collector getting down ... we need to check these manually... how to proceed with this...

       

      3] how to handle the malicious activity ... there are thousands of logs , how to find the malicious activity and combat it.

       

      4] List of windows event to monitor from the security perspective.

       

      5] Any other tips for managing SIEM.

       

      Thanks in advance

        • 1. Re: Need Few guidance for SIEM
          rth67

          Unless you are required to use a local agent, I would suggest setting up a Profile in Profile Management, then defining the Data Sources on your Receiver(s) and doing a WMI pull.  Local Agents can be useful in some places like DMZ / Workgroup Servers where Local Account credentials are managed by another group.

           

          You may need to have your AD Administrators modify your Group Policy to allow you to see all of the needed Failed Authentication events, this varies between 2000/2003 DC's and 2008/2012 DC's using Advanced Logging.

          You may want to monitor for excessive failed login's, account lockouts, event logs being cleared, dirty reboots, various other events. I suggest working with your Windows Admins to find out what events of interest they might have.

           

          Do you have an ACE? What other devices are you feeding in to your SIEM? FW's, IDS/IPS, AV (ePO), APT, RADIUS/TACACS+, DLP, NAC, etc...