After researching multiple use cases and experiences on successful SIEM implementation projects by CISOs across industries, these are the guidelines that were commonly followed prior to kickstarting SIEM adoption:
1️⃣ Prerequisite 1: Source asset identification
A good SIEM strategy includes the identification of critical assets that send key data, plus the context, logs, and events around the data into the SIEM.
2️⃣Prerequisite 2: Data quality
Garbage in, garbage out. To get the right type of data fed into the SIEM, source it from the correct sources.
3️⃣Prerequisite 3: Logging levels
The rules controlling the event stream flowing into the SIEM should not cause too many false positives, but yet maintain a deep level of visibility.
Top comments (2)
Here is how you can add enriched data to SIEMs (for example - Microsoft Sentinel) by leveraging an open-source threat detection engine such as Falco: sysdig.com/blog/extract-maximum-va...
Also, a good way to reduce your SIEM costs by preprocessing logs: sysdig.com/resources/webinars/beco...