Hi. I currently work for a university that recently got NetWitness. One of the things that my team would like to look into is what do other companies use their SIEMs for? What are some things that you look for when you set up your SIEM?
There is definitely no single right answer for everyone. It comes down to understanding your risks:- What assets do you have that others want?- How can they get at those assets?- What methods of attack can you prevent entirely?What's left are, hopefully, attack methods that you can detect through log event analysis. Companies then build policies to collect the logs that would detect those types of attack and rules to trigger when the appropriate behaviors manifest themselves. I kind of feel like I'm saying nothing of substance, but at a 10,000 ft level, that's how it works.This is a good place to start: https://jpcertcc.github.io/ToolAnalysisResultSheet. It shows basically every logged which types of events trigger when certain types of attacks happen.
Hope this helps!
Retrieving data ...