6 Replies Latest reply on Oct 6, 2017 7:22 AM by kdevmu

    SIEM Noise Filtering

    kdevmu

      Hello Everyone,

       

      This question is in reference to the Firewall monitoring by SIEM.

       

      Just wanted to check with you guys that how broadcast traffic is taken care by SIEM? Is it filtered at Agent level or carried out to the SIEM and then filtered by SIEM? Apart from broadcast events what all other events which can be considered as a noise traffic?

       

      According to the compliance (PCI/FISMA/SOX etc), broadcast event traffic logs need to be preserved or it can be filtered and not sent to the SIEM?

       

      It would be great if you can let me know the best practices to deal with noise traffic.

       

      Regards,

      KD

        • 1. Re: SIEM Noise Filtering
          andy777

          Excellent question. Too many people conflate log management and SIEM and fail to filter low value events from the SIEM. You have a few options:

           

          1. Disable broadcast logging at the firewall by creating rules without logging flags.

          2. Using Receiver filters, send the low value logs directly to the ELM without being parsed.

          3. Using Receiver filters, drop the low value logs before they are processed by the Receiver.

           

          This KB has some good examples for Receiver filter including filtering out Windows machine accounts.

          1 of 1 people found this helpful
          • 2. Re: SIEM Noise Filtering
            kdevmu

            Thank you for your quick response Andy.

             

            So how's the flow of communication here? Firewall sends syslogs to the Agent (Receiver Filter here?) and further it sends it to ELM which maintains the logs?

             

            Does it require to store broadcast traffic events (on ELM I believe) for meeting the compliance standards?

            • 3. Re: SIEM Noise Filtering
              andy777

              1. The Firewall sends syslog to the Receiver

              2. The Receiver matches the log against a regex filter for any special handling

              3. If it matches the filter, the log may be tagged for only parsing, only logging or dropped.

              3a. (It may also be tagged with a custom tag that can be queried and used as a filter, but that's off-topic for this).

              4. If it does not match, it will be processed per the Parsing/Logging box status configured on the Data Source.

              5. Parsed logs are parsed at the Receiver, as well as aggregated, tagged with normalization category, geolocation and any data enrichment and inserted into the local Receiver's database.

              6. The ESM queries the Receiver for the logs at the configurable interval (default 10 min) for any new events since the previous query and inserts them into the ESM database.

              6. Separately, raw logs destined for the ELM/ELS are packaged up and sent every 5 minutes.

              7. The log manager will then digitally sign the logs and move them to the configured storage pool.

               

              > Does it require to store broadcast traffic events (on ELM I believe) for meeting the compliance standards?

               

              Maybe; can you tell me what "it" is in this context please?

              • 4. Re: SIEM Noise Filtering
                kdevmu

                Thanks for the information Andy.

                 

                > Does it require to store broadcast traffic events (on ELM I believe) for meeting the compliance standards?

                 

                Here I am referring to PCI Compliance. So let me reiterate the question again. As per the PCI Compliance, actual logs need to be preserved for one year of time so even the broadcast traffic needs to be stored and maintained?

                • 5. Re: SIEM Noise Filtering
                  andy777

                  I won't claim to have PCI expertise, but reading section 10 highlights logging activity related directly to accessing PII and cardholder data. The only way I can imagine broadcasts being relevant is if they were somehow used as part of some sort of attack that was involved in accessing the data. You'll need to determine how likely that is to happen in your environment and weigh that against the resources required to store those events.

                  1 of 1 people found this helpful
                  • 6. Re: SIEM Noise Filtering
                    kdevmu

                    Hi Andy,

                     

                    Have one more question. If there is a DOS or DDOS attack on the monitored device, will agent do any filtering by stopping forwarding of all DOS events and just send may be first and last event of attack along with count of DOS events or forward all the DOS events to collector?