August 27, 2021

How to know which logsources are worth to onboard to SIEM?

As specially if you’re being charged per GB of ingested data, there is no point to ingest everything on DEBUG loglevel. How to know which ones are worth it? Is there some golden rule for that other than “if you can think of use case covering that source”?

Can you recommend any books/articles about this topic?

Comments

shoveleejoe

Take a look at the SOC assessment training on Cybrary, it’s basically about looking at your data sources to maximize detection coverage. https://www.cybrary.it/course/mitre-attack-defender-mad-attack-for-soc-assessments/

maj0ra_

I think it honestly depends on a few things:

Which systems are mission critical?
Which systems store sensitive information?
Any legacy systems that you can’t just quickly patch up to resolve security issues? Maybe include those.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.