Re: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew...
One of the "ah-ha" moments with LEM for me was when one of the support techs explained how LEM uses an event taxonomy (the policy). Understanding that is key to writing filters and correlations;...
View ArticleRe: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew...
evanr what compliance requirements do you work with? I ask because we are working with different compliance requirements more and more and in doing so our company always seems to find our tools and...
View ArticleRe: Search pattern for file audits on specific server not carried out by one...
Thanks - if you can look that will be great. Am running an alert now.
View ArticleRe: Search pattern for file audits on specific server not carried out by one...
One thing that just came to mind - if your file audit alerts are the subtypes (FileWrite, FileRead, FileAuditFailure, etc) and not just the parent FileAudit event itself, you'll want to use the "File...
View ArticleRe: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew...
PCI. And according to our auditor 3.0 is going to be even stricter. We aren't the only business unit in the company that has a ROC so luckily we were given a blueprint. From there we could pick and...
View ArticleRe: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew...
This (event taxonomy) is an interesting conundrum. I brought it up in the Thwack Camp presentation because I think it's a common stumbling block, too. In the end, I'm just not sure how/when to...
View ArticleRe: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew...
So, here are my thoughts on it... I agree that it can be intimidating, it was for me. I think LEM customers do need to know about it; when I was using LEM before knowing about it I felt like I was...
View ArticleRe: !LEM Thoughts of the Week: What's your Top LEM/SIEM Tip or "Wish I Knew...
This has definitely come up before with LEM in general - sort of like with communicating how Alert Central works. A cool visual about how log messages turn into normalized events, and how the alert...
View ArticleClik here to view.
Re: Search pattern for file audits on specific server not carried out by one...
I know, replying to myself. So far my testing has yielded:This works as described in filters and rulesEquals works great in nDepth but not equals with a field seems to be dysfunctional (differently...
View ArticleRe: "Unable to authenticate on manager: TriGeo"
Is your SIM an L4 with separate database and manager? I notice the 10.254.10.14 address, which is one end of the internal link between manager and database. If you don't have a separate appliance for...
View ArticleRe: How to build a query that finds WebTrafficAudit.EventInfo events with a...
Filters in the monitor tab are real-time, so events appear as soon as they are logged and match the criteria. nDepth searches depend on database/manager time. Are you sure that your manager time is...
View ArticleClik here to view.
Re: How do I configure the SNMP community string for LEM?
I don't have access to Orion to test what comes out on the other end, but... There is an SNMP active response connector that can be configured on the LEM. It has exactly no configuration besides the...
View ArticleRe: Recording policy changes from Sophos Enterprise Console 5.2 in LEM?
Hi Ian, I have SEC 5.2 and installed in a distributed installation (the DB on SQL Server 2012). I am yet to configure logging, but there are connectors for Sophos Enterprise Database (2.0 and 3.0)...
View ArticleRe: Making a rule for a 100 logon failures.
Hi, You just need to get the correlation side of things squared away in your rule and you will be fine. Under Correlation Time change 1 to 100 and within 30 seconds to your desired time window (e.g. 3...
View ArticleRe: Rule help
I always make sure I press activate rules after enabling or saving a rule. It is easy to forget to do this.
View ArticleLEM Thoughts of the Week: What IT Security Buzzword Drives You Nuts?
In honor of the RSA Conference (et al) this week, where buzzwords and BS are sure to be running high...What IT Security buzzword or nonsense trend drives you nuts? What's your pet peeve topic,...
View ArticleRe: Making a rule for a 100 logon failures.
To add to what Garreth said, if you want it to be 100 logon failures from the SAME user (not 100 logon failures from anyone), you want to use an Advanced Threshold (hit the little gear button as he...
View ArticleRe: LEM Thoughts of the Week: What IT Security Buzzword Drives You Nuts?
Hit the pavement running - Most really don't want to hit pavement to begin with, let alone running. At the end of the day - Translation I have no clue what will happen, or what did happen,...
View ArticleRe: Volume of syslog/SNMP traps,LEM can handle per hour ??
You can access top under the appliance menu, when using the console with the cmc account, to get a real-time view of cpu/mem util etc, as Nicole says any longer term historic data can be obtained via...
View Article