Favourite SIEM

[ZedSec]

Thought I would contribute to adding in some topics. For those of you working on the blue side of things. What's your SIEM of choice? Personally I'm a big fan of Sentinel and Splunk. I've used some others but they're the clear leaders for me.

[Szeth]

I've used LogRhythm, QRadar, Sentinel, and Splunk
Wouldn't use LogRhythm or QRadar again
Currently Sentinel is my choice, mainly because everyone round here are heavy MS shops so it fits in great. It's also a great product

[ZedSec]

I used the Rapid7 SIEM before and had a similar experience of would not use it again. Not sure if we just never set it up right though at the time.

[ChickenKing]

Splunk all the way! I spend probably 2-3 hours of each day looking at, getting frustrated at, and writing splunk detections. It unfortunately forced me to learn regex, which is very helpful don't get me wrong, but it's a love-hate relationship lol. But yeah, 100% I say splunk in terms of functionality. Pricing tho, that's a different story 🤷‍♂️

[pudi]

Anyone using Elastic as a SIEM?

[yougisatoshi]

Splunk for me very statisfied

[Blackthorne]

Using LogRhythm but much prefer Sentinel, its nice to have everything in one place if you're in a Microsoft centric environment, and it generally just works without too much fuss, which is nice.

[masek]

sentinel is by far my favorite to operate in because queries are so damn fast and data is so easy to work with. the log window is awesome for pivoting in hunts while keeping a log of your queries, and I love being able to create fields with conditional content. we used an elk stack at a previous employer and while I liked creating logstash pipelines and dashboards in kibana, sentinel feels way cleaner

[PJDSec]

Rapid7 InsightIDR right now, but slated to be replaced in Q1 hopefully.  Had them 5 years and they only recently enabled support for arbitrary log ingestion from S3.  Their API leaves a lot to be desired too.

However they did the job well during that time.  It's more that we are finally getting to a point where it just doesn't fit out more demanding needs anymore.  Looking at tools for detection as code with a data warehouse backer such as panther or hunters.

Although depending on finance approval, the answer back may be to build it ourselves.  I love budget season!

[j91321]

18 hours ago, pudi said:

Anyone using Elastic as a SIEM?

I used to run Elastic SIEM (on-prem) at MSSP for a few years. I had very good experience with it, but if you don't have a dedicated person who really understands elasticsearch (I was also that person) it can lead to frustration. It's not an easy tech stack to master. It's still my preferred choice. 

Sentinel and Splunk also great choices. Everything else I had the pleasure of using was shit compared to these. I'd say that Sentinel really beats everything in environments where you almost exclusively use MS products/Azure based services.

 

[JayB]

Loving Sentinel so far.

[Brad]

I liked ArcSight years ago, when I was a SIEM monkey spending 8 hour shifts reviewing alerts and investigating suspicious activity based on those alerts.  Back then, it required quite a bit of constant care on the back end.  I'm sure it hasn't gotten any better since HP took it over.  But I liked it for what it was once upon a time.

I liked squil in the older Security Onion distro (16.04, I think it was) despite (or maybe because of) it's old-fashioned GUI.  Now, Security Onion uses a different GUI to present alert data, which I'm not necessarily a big fan of, but the overall improvements to the distro make it worth-while.

[Brad]

22 hours ago, Szeth said:

I've used LogRhythm, QRadar, Sentinel, and Splunk
Wouldn't use LogRhythm or QRadar again
Currently Sentinel is my choice, mainly because everyone round here are heavy MS shops so it fits in great. It's also a great product

I don't think I know anyone who's enjoyed using QRadar.

[Florian]

we use Microsoft Sentinel in our company. 

[bigmacjpg]

I've used a grand total of 2 SIEM products (user not admin), ArcSight and Sentinel. As a user ArcSight was painful due to VERY slow query speeds and (as Brads pointed out) it took several people working full time to keep it going. I'm currently using Sentinel and like it a lot more, mainly due to the search speed and the KQL query language (easy things are easy, hard things are possible if you dig into the language).

[Florian]

28 minutes ago, bigmacjpg said:

28 minutes ago, bigmacjpg said:

mainly due to the search speed and the KQL query language

do you know http://detective.kusto.io/? 

 

 

[Name_Too_Long]

I built a Frankenstein's Monster of a SIEM/SOAR platform off ELK due to "non-technical constraints" keeping me from using Splunk.  Lots of hacky and circuitous ways of generating actions (e.g. running an SMTP server on the box so it could send email alerts to a client that would then trigger scripts, all without actually leaving the server).  I honestly doubt I could recreate it today, and I'm not entirely sure that's a bad thing.  Like, there was a lot of stuff that I'm sure was just horrifyingly insecure, but I could get away with because of specifics of that environment.

I would not recommend my creation.  Fortunately, since that started, a whole bunch of new SIEM options have become available (including Elastic's own) which, while I haven't actually looked at any of them, I can't imagine are anywhere near as janky.

[munin]

On 11/6/2022 at 1:58 PM, pudi said:

Anyone using Elastic as a SIEM?

I haven't kept up with their development; did they ever get around to figuring out some kind of correlation engine? or is it just "fun with kibana queries"?

[m0x]

On 11/6/2022 at 1:58 PM, pudi said:

Anyone using Elastic as a SIEM?

that has been by go to for hobby projects and smaller org deployments. it has gotten better over the years now that they are focusing on the cyber security use case!

[m0x]

25 minutes ago, munin said:

I haven't kept up with their development; did they ever get around to figuring out some kind of correlation engine? or is it just "fun with kibana queries"?

they've added pretty solid SIEM options and integrations, it has come a long way. They even have an endpoint agent now 🤯

[malware_marty]

Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui ;)

[munin]

3 minutes ago, m0x said:

they've added pretty solid SIEM options and integrations, it has come a long way. They even have an endpoint agent now 🤯

....I mean I should -hope- they branded an agent for the thing, given all the work they were doing with Beats...

[member]

I have only had experience with AlienVault. If someone knows of a good SIEM for one man show I'm all ears. 

[Szeth]

1 hour ago, munin said:

....I mean I should -hope- they branded an agent for the thing, given all the work they were doing with Beats...

They acquired Endgame and integrated it. Never used it myself but it’s supposed to be pretty good

https://www.elastic.co/blog/endgame-joins-forces-with-elastic

[Szeth]

1 hour ago, member said:

I have only had experience with AlienVault. If someone knows of a good SIEM for one man show I'm all ears. 

Sentinel is pretty good for a one-man show if you’re Microsoft focused. No underlying infrastructure to manage and theres lots of libraries for queries and hunts that can be leveraged instead of starting fresh.

Basically stay away from anything that needs you to stand-up dedicated servers to manage (like qradar or logrhytm) because you can spend as much time keeping them alive as you do looking at alerts in them.