Security Information and Event Management (SIEM) tools play a vital role in helping your organization in discovering threats and analyzing security incidents. Logsign’s internal team continuously makes correlation rules and alerts so that your team’s workload is minimized. In our previous posts, we discussed generating important reports and deriving maximum possible benefits from use cases. In this article, we will be discussing SIEM alerts best practices. As you would have already seen, there is a dedicated section for alerts on the Logsign SIEM dashboard.
Figure 1: Alerts section on Logsign SIEM
In this section, alerts are grouped into various categories. Not only you can customize the existing alerts, but you can also create new alert categories as well as alerts. For simplicity, you can consider alerts analogous to templates. When you create, modify, or delete an alert or alert category, it does not affect the actual data. Some of the alert categories available on Logsign alerts include brute force, DDoS, database, exploit, file, identity, lateral movement, malware, system, traffic, vulnerability, web, etc.
If you are planning on creating a new alert rule or modifying an existing rule, our internal team suggests the following best practices for creating alerts on Logsign SIEM platform
Before creating any alert or constituent rules, you should check existing alerts to ensure whether there is an inbuilt alert for the same purpose or not. If not, you have to gather information about the chain of events that will occur before and after this alert is detected by Logsign platform.
Figure 2: Creating a new alert on Logsign SIEM (Basic Mode)
An organization complies with various local, regional, and federal laws to meet its cybersecurity obligations under the law. When you are creating custom alert rules, it may help you if you are aware of what a particular piece of regulation is expecting. From the Tags dropdown, you can select a relevant law applicable as a tag.
Figure 3: Creating a new alert - Alert definition
So often, we have seen our clients creating a large number of customized alerts. As a result, there are multiple alerts for the same set of tasks. This issue primarily occurs due to vagueness or ambiguity in the Description field and incorrect selection of Category and Severity from the given dropdowns. So, the takeaway is: write the description precisely and select the most appropriate category and severity for the action that you are creating an alert for.
Figure 3: Creating a new alert - Alert definition
Rule set is the backbone of any alert. A single alert can have one or more rules, depending on how you define it. Logsign SIEM simplifies rule creation by directly showing dropdowns for specific action or source and its behavior. While creating a customized alert, verify that your rule definitions are correct. Otherwise, the rule set will not work as expected, and the SIEM platform will not generate the desired alert.
Figure 3: Creating a new alert - Alert definition
After you create an alert, our experts recommend doing multiple test runs to check if your alert is working correctly. Thorough testing of custom alerts allows you to fine-tune your correlation rules to get the most out of your Logsign SIEM.
Figure 3: Creating a new alert - Alert definition
Last but not least, you must undertake regular reviews for custom alerts or any inbuilt alert that you had modified. We recommend our clients to review their alerts once in every six months. For all inbuilt alerts that you have not modified, you do not need to worry as our internal team is continuously involved analyzing false positives and making the necessary modifications to improvise the accuracy.
Have you been able to create and customize alerts on the Logsign SIEM platform? If not, get in touch with our Support team today!