Has anyone attempted to parse and show the diffs in nTSecurityDescriptor values in 5136 attribute change events in NG-SIEM or Logscale? How are you parsing the SDDL? How are you resolving SIDs? submitted by /u/AlmostEphemeral [link] [comments]
We currently have the ITP module and NG-SIEM for 3rd party data and longer retention on Falcon data. In the ITP module, we have access to the group membership data via that module. However, we are trying to determine if it's possible to query a users active membership and correlate this to 3rd party logs for a specific application in event search. The idea is to query the members of this group > check if they have logged into the application in the past 6 months > If not use the built in Active...
As regulatory requirements for log data retention remain a major focus, we've hit a roadblock with LogScale and our next-gen SIEM regarding the ability to export historical log data. Unlike Splunk, which has a clear documented procedure, we haven't been able to identify an equivalent path here. While streaming new logs going forward is possible, we still need a way to handle the existing retained data. So far, support has not been helpful, and this limitation increasingly feels like a form of...
Has anyone here used Securonix Unified Defense SIEM? If so, what was your experience like? I'm curious to hear both positives and negatives - whether related to deployment, usability, detection quality, or overall value compared to other SIEM solutions. submitted by /u/MicroExample [link] [comments]
I've been working on mapping my SIEM rules to MITRE ATT&CK so I can understand what I'm really detecting. That part's fine, but then it hit me - products like MDE already have a ton of built-in detections out of the box. Now I'm wondering: how do you actually map those MDE detections to ATT&CK? is there some list/export of all alerts/detections available in MDE? I just wanna get a real picture of coverage across my environment, not only what's in the SIEM but also what's being flagged...
Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025, based on over 160 million real-world attack simulations, revealed that organizations are only detecting 1 out of 7 simulated attacks,
Anyone tried FortiSIEM specifically 7.4 release? The reason why am asking about this specific version is ... it brought another level for the SaaS flavour of the product, making it pretty much the same as on-prem version, and bringing in embedded SOAR-like capabilities. However, because it is (respectively) new release, can't yet determine its pros and cons I have hybrid infrastructure mixing between cloud and on-prem and from multiple vendors, and trying to determine which SIEM would make the...
We're in the middle of rolling out a SIEM in our company, and I'm running into a bit of a challenge with figuring out which detections actually make sense for us. We're a smaller environment (around ~200 people and ~70 servers), so the "enterprise playbook" doesn't exactly fit, but at the same time I don't want to end up with a glorified log collector that never really gives us value. Our main priority is protecting our intellectual property (we're building software, so the source code repo is...
Hi everyone, I'm currently working as a SOC T 1 for the past 2 months. Before that, I worked as a SOC Engineer for about a year, mainly dealing with SIEM, SOAR, and different SOC tools (configurations, deployments, etc.). Right now, I want to move up to SOC T2 , but I'm not sure what exact path I should take. I'm currently interested in DFIR and Malware Analysis , but I don't know which one I should focus on (I don't mind choosing only one if needed). My main questions are: What topics and...
A lot of people like the command line, the CLI, the shell (name it as you want) because it provides a lot of powerful tools to perform investigations. The best example is probably parsing logs! Even if we have SIEM to ingest and process them, many people still fall back to the good old suite of grep, cut, awk, sort, uniq, and many more.
I've been working on full-stack development (React, Node, Java, etc.), but I'm really interested in moving towards cybersecurity, especially SOC analyst roles, SIEM, EDR, blue team stuff. I wanted to ask: • How realistic is it to move from a dev background into cybersecurity? Do companies hire freshers/juniors into SOC analyst roles, or should I build up with certs/internships first? Does dev experience give me any advantage, or would I basically be starting from scratch? Any...
We have charged them 3000 INR per EPS, he says he has received 1500 INR per EPS as quote. All SIEM SOAR UEBA TI components submitted by /u/Far_Explanation5614 [link] [comments]
On a smaller enterprise "SOC" team (lots of different hats worn) here (a few thousand employee company) and I'm looking for insight on cost management. We generate a lot of logs, but as always, don't have unlimited budget. We've used a few different SIEMs - Sumo, Exabeam, but are using Splunk now. Outrageously expensive. It seems like the prevailing sentiment right now is to just drop your "unneeded" logs with some pre-filtering (Cribl)... yes it saves a bunch of money, but that means we're...
Hello, I've been in the cybersecurity industry for 10 years. I've worked in cloud security, SIEM administration, vulnerability management, and endpoint security across many different sectors. I'm certified in Microsoft, AWS, and CEH. I've noticed that the industry's demand (and its decreasing demand) is now for specialists, and that generalists like me are no longer wanted. I chose cloud security as my primary specialization, but job opportunities in this field are relatively few. I'm...
Please list the free/open source EDR/XDR for Linux endpoints and servers that you have experience with. Please do not mention "Wazuh" or other SIEM tools. Thanks in advance. submitted by /u/Pristine-Remote-1086 [link] [comments]
Hello All, Are there any good self hosted SIEM/EDR's? I know elastic has one but their free tier is pretty basic on the security side from what I'm told. Are there any completely free host based EDR's out there. Does anyone happen to know the cost of a single node self hosted enterprise edition Elastic Security setup? submitted by /u/dudethadude [link] [comments]
Does anyone have any good use cases for multiple log source siem rules (Identity + EDR) or (Identity and Network) or a combination of anything? We're ingesting tons of disparate data in our SIEM (Secops) and the majority of the built in rules are single source. (EDR, Identity, Network, Email, Cloud, etc). Is there a public source of these use cases or example rules/situations or do you guys have any that you've implemented that's been helpful? submitted by /u/Idonthaveanaccount9 [link]...