Jump to content

Favourite SIEM


ZedSec
 Share

Recommended Posts

Thought I would contribute to adding in some topics. For those of you working on the blue side of things. What's your SIEM of choice? Personally I'm a big fan of Sentinel and Splunk. I've used some others but they're the clear leaders for me.

  • Like 2
Link to comment
Share on other sites

I've used LogRhythm, QRadar, Sentinel, and Splunk
Wouldn't use LogRhythm or QRadar again
Currently Sentinel is my choice, mainly because everyone round here are heavy MS shops so it fits in great. It's also a great product

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

I used the Rapid7 SIEM before and had a similar experience of would not use it again. Not sure if we just never set it up right though at the time.

Link to comment
Share on other sites

Splunk all the way! I spend probably 2-3 hours of each day looking at, getting frustrated at, and writing splunk detections. It unfortunately forced me to learn regex, which is very helpful don't get me wrong, but it's a love-hate relationship lol. But yeah, 100% I say splunk in terms of functionality. Pricing tho, that's a different story 🤷‍♂️

  • Like 1
Link to comment
Share on other sites

Using LogRhythm but much prefer Sentinel, its nice to have everything in one place if you're in a Microsoft centric environment, and it generally just works without too much fuss, which is nice.

Link to comment
Share on other sites

sentinel is by far my favorite to operate in because queries are so damn fast and data is so easy to work with. the log window is awesome for pivoting in hunts while keeping a log of your queries, and I love being able to create fields with conditional content. we used an elk stack at a previous employer and while I liked creating logstash pipelines and dashboards in kibana, sentinel feels way cleaner

Link to comment
Share on other sites

Rapid7 InsightIDR right now, but slated to be replaced in Q1 hopefully.  Had them 5 years and they only recently enabled support for arbitrary log ingestion from S3.  Their API leaves a lot to be desired too.

However they did the job well during that time.  It's more that we are finally getting to a point where it just doesn't fit out more demanding needs anymore.  Looking at tools for detection as code with a data warehouse backer such as panther or hunters.

Although depending on finance approval, the answer back may be to build it ourselves.  I love budget season!

  • Like 1
Link to comment
Share on other sites

18 hours ago, pudi said:

Anyone using Elastic as a SIEM?

I used to run Elastic SIEM (on-prem) at MSSP for a few years. I had very good experience with it, but if you don't have a dedicated person who really understands elasticsearch (I was also that person) it can lead to frustration. It's not an easy tech stack to master. It's still my preferred choice. 

Sentinel and Splunk also great choices. Everything else I had the pleasure of using was shit compared to these. I'd say that Sentinel really beats everything in environments where you almost exclusively use MS products/Azure based services.

 

  • Thanks 1
Link to comment
Share on other sites

I liked ArcSight years ago, when I was a SIEM monkey spending 8 hour shifts reviewing alerts and investigating suspicious activity based on those alerts.  Back then, it required quite a bit of constant care on the back end.  I'm sure it hasn't gotten any better since HP took it over.  But I liked it for what it was once upon a time.

I liked squil in the older Security Onion distro (16.04, I think it was) despite (or maybe because of) it's old-fashioned GUI.  Now, Security Onion uses a different GUI to present alert data, which I'm not necessarily a big fan of, but the overall improvements to the distro make it worth-while.

Link to comment
Share on other sites

22 hours ago, Szeth said:

I've used LogRhythm, QRadar, Sentinel, and Splunk
Wouldn't use LogRhythm or QRadar again
Currently Sentinel is my choice, mainly because everyone round here are heavy MS shops so it fits in great. It's also a great product

I don't think I know anyone who's enjoyed using QRadar.

  • Like 1
Link to comment
Share on other sites

I've used a grand total of 2 SIEM products (user not admin), ArcSight and Sentinel. As a user ArcSight was painful due to VERY slow query speeds and (as Brads pointed out) it took several people working full time to keep it going. I'm currently using Sentinel and like it a lot more, mainly due to the search speed and the KQL query language (easy things are easy, hard things are possible if you dig into the language).

Link to comment
Share on other sites

I built a Frankenstein's Monster of a SIEM/SOAR platform off ELK due to "non-technical constraints" keeping me from using Splunk.  Lots of hacky and circuitous ways of generating actions (e.g. running an SMTP server on the box so it could send email alerts to a client that would then trigger scripts, all without actually leaving the server).  I honestly doubt I could recreate it today, and I'm not entirely sure that's a bad thing.  Like, there was a lot of stuff that I'm sure was just horrifyingly insecure, but I could get away with because of specifics of that environment.

I would not recommend my creation.  Fortunately, since that started, a whole bunch of new SIEM options have become available (including Elastic's own) which, while I haven't actually looked at any of them, I can't imagine are anywhere near as janky.

Link to comment
Share on other sites

On 11/6/2022 at 1:58 PM, pudi said:

Anyone using Elastic as a SIEM?

I haven't kept up with their development; did they ever get around to figuring out some kind of correlation engine? or is it just "fun with kibana queries"?

Link to comment
Share on other sites

On 11/6/2022 at 1:58 PM, pudi said:

Anyone using Elastic as a SIEM?

that has been by go to for hobby projects and smaller org deployments. it has gotten better over the years now that they are focusing on the cyber security use case!

Link to comment
Share on other sites

25 minutes ago, munin said:

I haven't kept up with their development; did they ever get around to figuring out some kind of correlation engine? or is it just "fun with kibana queries"?

they've added pretty solid SIEM options and integrations, it has come a long way. They even have an endpoint agent now 🤯

Link to comment
Share on other sites

Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui ;)

Link to comment
Share on other sites

3 minutes ago, m0x said:

they've added pretty solid SIEM options and integrations, it has come a long way. They even have an endpoint agent now 🤯

....I mean I should -hope- they branded an agent for the thing, given all the work they were doing with Beats...

  • Haha 1
Link to comment
Share on other sites

I have only had experience with AlienVault. If someone knows of a good SIEM for one man show I'm all ears. 

Link to comment
Share on other sites

1 hour ago, member said:

I have only had experience with AlienVault. If someone knows of a good SIEM for one man show I'm all ears. 

Sentinel is pretty good for a one-man show if you’re Microsoft focused. No underlying infrastructure to manage and theres lots of libraries for queries and hunts that can be leveraged instead of starting fresh.

Basically stay away from anything that needs you to stand-up dedicated servers to manage (like qradar or logrhytm) because you can spend as much time keeping them alive as you do looking at alerts in them.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...