cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CY
Newcomer II

Do you use any tool that does automated log reviews?

I am trying to automate this laborious task.  Can share if you have any experience using such tools where  auditors has no issue with?

4 Replies
Steve-Wilme
Advocate II

A SIEM is capable of log centralisation, normalisation and correlation of events.  You should be able to set-up rules to alert on single events or combinations of events of interest.  It tend to be best to work back from known indicators of attacks to source the relevant events, rather than capture all events and try to figure out what all that data might mean.

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
dcontesti
Community Champion

Are these internal or external auditors?  The difference: If they are internal, you could sit with them while you are putting together the requirements for such a tool and have their blessings as you move down the path.

 

I am not sure about others but have found that building an alliance with the IA team has been beneficial and helps when dealing with external audit.

 

For external auditors, you may wish to ask them what they are looking for.  SOmetimes it varies depending on the auditor assigned to your firm.

 

We had good luck with Splunk (but they were very expensive), another tool we used was AlienVault.  Both satisfied the audit requirements.

 

d

 

PS: this is NOT an endorsement for either tool, just that we used them.  Both had issues and required dedicated staff.

dcontesti
Community Champion

Found this on the net, might help you when doing your requirements:

 

https://stackify.com/best-log-management-tools/#:~:text=The%20McAfee%20Enterprise%20Log%20Manager,%2....

 

d

Titan
Newcomer I

I second what this individual stated regarding Splunk and Alienvault (although it looks like AT&T has bought Alienvault). I've personally seen more instances of Splunk being used. However, the ongoing challenge with Splunk (and likely Alienvault as well) is tuning the SIEM so it performs the activities both effectively and efficiently.