ZedSec Posted November 6, 2022 Share Posted November 6, 2022 Thought I would contribute to adding in some topics. For those of you working on the blue side of things. What's your SIEM of choice? Personally I'm a big fan of Sentinel and Splunk. I've used some others but they're the clear leaders for me. 2 Link to comment Share on other sites More sharing options...
Szeth Posted November 6, 2022 Share Posted November 6, 2022 I've used LogRhythm, QRadar, Sentinel, and Splunk Wouldn't use LogRhythm or QRadar again Currently Sentinel is my choice, mainly because everyone round here are heavy MS shops so it fits in great. It's also a great product 1 1 Link to comment Share on other sites More sharing options...
ZedSec Posted November 6, 2022 Author Share Posted November 6, 2022 I used the Rapid7 SIEM before and had a similar experience of would not use it again. Not sure if we just never set it up right though at the time. Link to comment Share on other sites More sharing options...
ChickenKing Posted November 6, 2022 Share Posted November 6, 2022 Splunk all the way! I spend probably 2-3 hours of each day looking at, getting frustrated at, and writing splunk detections. It unfortunately forced me to learn regex, which is very helpful don't get me wrong, but it's a love-hate relationship lol. But yeah, 100% I say splunk in terms of functionality. Pricing tho, that's a different story 🤷♂️ 1 Link to comment Share on other sites More sharing options...
pudi Posted November 6, 2022 Share Posted November 6, 2022 Anyone using Elastic as a SIEM? 2 Link to comment Share on other sites More sharing options...
yougisatoshi Posted November 6, 2022 Share Posted November 6, 2022 Splunk for me very statisfied 1 Link to comment Share on other sites More sharing options...
Blackthorne Posted November 6, 2022 Share Posted November 6, 2022 Using LogRhythm but much prefer Sentinel, its nice to have everything in one place if you're in a Microsoft centric environment, and it generally just works without too much fuss, which is nice. Link to comment Share on other sites More sharing options...
masek Posted November 6, 2022 Share Posted November 6, 2022 sentinel is by far my favorite to operate in because queries are so damn fast and data is so easy to work with. the log window is awesome for pivoting in hunts while keeping a log of your queries, and I love being able to create fields with conditional content. we used an elk stack at a previous employer and while I liked creating logstash pipelines and dashboards in kibana, sentinel feels way cleaner Link to comment Share on other sites More sharing options...
PJDSec Posted November 7, 2022 Share Posted November 7, 2022 Rapid7 InsightIDR right now, but slated to be replaced in Q1 hopefully. Had them 5 years and they only recently enabled support for arbitrary log ingestion from S3. Their API leaves a lot to be desired too. However they did the job well during that time. It's more that we are finally getting to a point where it just doesn't fit out more demanding needs anymore. Looking at tools for detection as code with a data warehouse backer such as panther or hunters. Although depending on finance approval, the answer back may be to build it ourselves. I love budget season! 1 Link to comment Share on other sites More sharing options...
j91321 Posted November 7, 2022 Share Posted November 7, 2022 18 hours ago, pudi said: Anyone using Elastic as a SIEM? I used to run Elastic SIEM (on-prem) at MSSP for a few years. I had very good experience with it, but if you don't have a dedicated person who really understands elasticsearch (I was also that person) it can lead to frustration. It's not an easy tech stack to master. It's still my preferred choice. Sentinel and Splunk also great choices. Everything else I had the pleasure of using was shit compared to these. I'd say that Sentinel really beats everything in environments where you almost exclusively use MS products/Azure based services. 1 Link to comment Share on other sites More sharing options...
JayB Posted November 7, 2022 Share Posted November 7, 2022 Loving Sentinel so far. Link to comment Share on other sites More sharing options...
Brad Posted November 7, 2022 Share Posted November 7, 2022 I liked ArcSight years ago, when I was a SIEM monkey spending 8 hour shifts reviewing alerts and investigating suspicious activity based on those alerts. Back then, it required quite a bit of constant care on the back end. I'm sure it hasn't gotten any better since HP took it over. But I liked it for what it was once upon a time. I liked squil in the older Security Onion distro (16.04, I think it was) despite (or maybe because of) it's old-fashioned GUI. Now, Security Onion uses a different GUI to present alert data, which I'm not necessarily a big fan of, but the overall improvements to the distro make it worth-while. Link to comment Share on other sites More sharing options...
Brad Posted November 7, 2022 Share Posted November 7, 2022 22 hours ago, Szeth said: I've used LogRhythm, QRadar, Sentinel, and Splunk Wouldn't use LogRhythm or QRadar again Currently Sentinel is my choice, mainly because everyone round here are heavy MS shops so it fits in great. It's also a great product I don't think I know anyone who's enjoyed using QRadar. 1 Link to comment Share on other sites More sharing options...
Florian Posted November 7, 2022 Share Posted November 7, 2022 we use Microsoft Sentinel in our company. 1 Link to comment Share on other sites More sharing options...
bigmacjpg Posted November 7, 2022 Share Posted November 7, 2022 I've used a grand total of 2 SIEM products (user not admin), ArcSight and Sentinel. As a user ArcSight was painful due to VERY slow query speeds and (as Brads pointed out) it took several people working full time to keep it going. I'm currently using Sentinel and like it a lot more, mainly due to the search speed and the KQL query language (easy things are easy, hard things are possible if you dig into the language). Link to comment Share on other sites More sharing options...
Florian Posted November 7, 2022 Share Posted November 7, 2022 28 minutes ago, bigmacjpg said: 28 minutes ago, bigmacjpg said: mainly due to the search speed and the KQL query language do you know http://detective.kusto.io/? Link to comment Share on other sites More sharing options...
Name_Too_Long Posted November 8, 2022 Share Posted November 8, 2022 I built a Frankenstein's Monster of a SIEM/SOAR platform off ELK due to "non-technical constraints" keeping me from using Splunk. Lots of hacky and circuitous ways of generating actions (e.g. running an SMTP server on the box so it could send email alerts to a client that would then trigger scripts, all without actually leaving the server). I honestly doubt I could recreate it today, and I'm not entirely sure that's a bad thing. Like, there was a lot of stuff that I'm sure was just horrifyingly insecure, but I could get away with because of specifics of that environment. I would not recommend my creation. Fortunately, since that started, a whole bunch of new SIEM options have become available (including Elastic's own) which, while I haven't actually looked at any of them, I can't imagine are anywhere near as janky. Link to comment Share on other sites More sharing options...
munin Posted November 8, 2022 Share Posted November 8, 2022 On 11/6/2022 at 1:58 PM, pudi said: Anyone using Elastic as a SIEM? I haven't kept up with their development; did they ever get around to figuring out some kind of correlation engine? or is it just "fun with kibana queries"? Link to comment Share on other sites More sharing options...
m0x Posted November 8, 2022 Share Posted November 8, 2022 On 11/6/2022 at 1:58 PM, pudi said: Anyone using Elastic as a SIEM? that has been by go to for hobby projects and smaller org deployments. it has gotten better over the years now that they are focusing on the cyber security use case! Link to comment Share on other sites More sharing options...
m0x Posted November 8, 2022 Share Posted November 8, 2022 25 minutes ago, munin said: I haven't kept up with their development; did they ever get around to figuring out some kind of correlation engine? or is it just "fun with kibana queries"? they've added pretty solid SIEM options and integrations, it has come a long way. They even have an endpoint agent now 🤯 Link to comment Share on other sites More sharing options...
malware_marty Posted November 8, 2022 Share Posted November 8, 2022 Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui ;) Link to comment Share on other sites More sharing options...
munin Posted November 8, 2022 Share Posted November 8, 2022 3 minutes ago, m0x said: they've added pretty solid SIEM options and integrations, it has come a long way. They even have an endpoint agent now 🤯 ....I mean I should -hope- they branded an agent for the thing, given all the work they were doing with Beats... 1 Link to comment Share on other sites More sharing options...
member Posted November 8, 2022 Share Posted November 8, 2022 I have only had experience with AlienVault. If someone knows of a good SIEM for one man show I'm all ears. Link to comment Share on other sites More sharing options...
Szeth Posted November 8, 2022 Share Posted November 8, 2022 1 hour ago, munin said: ....I mean I should -hope- they branded an agent for the thing, given all the work they were doing with Beats... They acquired Endgame and integrated it. Never used it myself but it’s supposed to be pretty good https://www.elastic.co/blog/endgame-joins-forces-with-elastic 1 Link to comment Share on other sites More sharing options...
Szeth Posted November 8, 2022 Share Posted November 8, 2022 1 hour ago, member said: I have only had experience with AlienVault. If someone knows of a good SIEM for one man show I'm all ears. Sentinel is pretty good for a one-man show if you’re Microsoft focused. No underlying infrastructure to manage and theres lots of libraries for queries and hunts that can be leveraged instead of starting fresh. Basically stay away from anything that needs you to stand-up dedicated servers to manage (like qradar or logrhytm) because you can spend as much time keeping them alive as you do looking at alerts in them. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now