Favourite SIEM

[Chris]

We are just evaluating Fortinet's "FortiSIEM" as a central MSSP platform for our customers. It is claimed to be very good in OT environments (which I am about to verify). If anyone is interested, I can write up our experiences as soon as I have some.

[Florian]

3 hours ago, Szeth said:

Basically stay away from anything that needs you to stand-up dedicated servers to manage (like qradar or logrhytm) because you can spend as much time keeping them alive as you do looking at alerts in them.

this sentence is so true in many ways. -> i know the same shit in case of configuration management, Logmanagenemt, monitoring. these are critical things and if this happens you are f*cked. 

[Florian]

26 minutes ago, Chris said:

I can write up our experiences as soon as I have some.

yes please

[Szeth]

53 minutes ago, Chris said:

We are just evaluating Fortinet's "FortiSIEM" as a central MSSP platform for our customers. It is claimed to be very good in OT environments (which I am about to verify). If anyone is interested, I can write up our experiences as soon as I have some.

I would also be keen to hear about this. My previous job moved from FortiSiem to LogRhythm just before i started. I only heard not great things about FortiSiem, but they’re the only ones ive known to have used it

[Böset]

Any tips for good open-source SIEM systems?

[clarkee]

13 minutes ago, Böset said:

Any tips for good open-source SIEM systems?

Graylog or Elastic are both fine, I prefer Graylog (https://www.graylog.org/)

[karlyeurl]

3 hours ago, Chris said:

We are just evaluating Fortinet's "FortiSIEM" as a central MSSP platform for our customers. It is claimed to be very good in OT environments (which I am about to verify). If anyone is interested, I can write up our experiences as soon as I have some.

Count me amongst the interested folks.

[stealyourface]

13 hours ago, malware_marty said:

Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui 😉

o/ Me!
I like it well enough. Not too hard to query. I'm a bit of a n00b so I can't say much more than that.
I just wish it was a little faster, but it's fine for the amount of data that it has to sift through.

[malware_marty]

23 minutes ago, stealyourface said:

o/ Me!
I like it well enough. Not too hard to query. I'm a bit of a n00b so I can't say much more than that.
I just wish it was a little faster, but it's fine for the amount of data that it has to sift through.

Glad im not the only one. Yeah, i’ve only been at it for a little over a year so I'm pretty new as well. I don’t know anything in terms of administration, but building dashboards and complex queries has always felt pretty intuitive. I agree it can be pretty slow.

[bigmacjpg]

15 hours ago, Florian said:

 

I have not seen that before but it is pretty cool!

[Johan]

I've only had experience working as an analyst with Elastic and Q-radar, I much prefer Elastic over the latter. Other parts of our delivery has Sentinel and the guys involved with that seem pretty happy with it, haven't had time to get involved though- we're stretched thin as always.

Heard some buzz from management about Coretex (XDR(?) or perhaps it was XSIAM), I'd be interested to know if anyone has any thoughts about it.

[vilkas622]

Splunk was pretty good although not fun to manage. I've liked Sumologic, but I haven't really explored their dedicated security option (CSE) enough, most of my alerting and queries are in the normal log engine (CIP).

 

LogRhythm was my least favorite by far, and InsightIDR was also a bit of a disappointment.

[int21h]

On 11/6/2022 at 10:33 PM, ZedSec said:

Thought I would contribute to adding in some topics. For those of you working on the blue side of things. What's your SIEM of choice? Personally I'm a big fan of Sentinel and Splunk. I've used some others but they're the clear leaders for me.

question is, what scale are you looking at? the more data you can get in, the more value you can potentially get out it... but it will also increase the costs of bandwidth and storage. Not to mention some SIEMs don't scale very well and the license costs grow with the amount of data you pump in.

[softmayhem]

Splunk is an absolutely wonderful product... if your company is willing to shoulder the licensing costs.

Edited November 8, 2022 by softmayhem

[ChickenKing]

5 minutes ago, softmayhem said:

Splunk is an absolutely wonderful product, if your company is willing to shoulder the licensing costs.

200% agree here. only main detractor from splunk is the cost. I absolutely love the product

[latortuga71]

Sentinel all the way if you include the whole microsoft security suite. defender for identity etc.

[ajboilanger]

I work for a SOC and we use Splunk. It's been really great to use for the most part, and my team works closely with the Splunk team so if I ever have a question it's usually pretty easy to get in touch with someone who knows the answer.

[lost-troll]

For work I have been the primary person for ArcSight, LogRhythm, and Securonix.  ArcSight (ESM with Logger) was probably my favorite, it took a lot of work to keep alive, but there was a ton of cool stuff you could do with correlation rules that I haven't been able to do with any other SIEM.  LogRhythm is great for setting up a SOC in 24 hours.  You can drill down for days, and pivot like crazy, but searching is very weak.  I wouldn't go back to LogRhythm because of the lack of a decent query language.  Securonix is my latest and I'm not sold on it yet.  I don't really trust it, I feel like something is always broken, but it's never the same thing twice.

For home (I push router firewall logs, pihole, sysmon, SSH honeypot, windows security, and apache logs) I have used Alientvault, Elastic, Graylog and Splunk.  Splunk has been my favorite by far - I just use the free license and am barely under maximum utilization.  Alienvault was ok, but onboarding custom data sources was rough.  Graylog I liked, but custom data sources with grok was a bit of work.  And it randomly died on me one day, so I moved on. Elastic I never really got working, was likely a me problem.

I'm kind of a SIEM junky, ultimately everyone hates their SIEM and is always looking for a better one.

[bloq]

On 11/8/2022 at 2:43 PM, malware_marty said:

Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui 😉

+1 - Sumo does the job pretty well really - and devs quite like their general logging platform so gathering inputs isn't too hard. 

[nsfrnm]

22 hours ago, clarkee said:

Graylog or Elastic are both fine, I prefer Graylog (https://www.graylog.org/)

second this

[hippy]

People using Sentinel - what does it ingest? Event logs and? What if you're using 3rd party AV and Endpoint (Sophos) and 3rd party auth provider (Okta)? Can it also deal with this stuff?

[clarkee]

1 hour ago, hippy said:

People using Sentinel - what does it ingest? Event logs and? What if you're using 3rd party AV and Endpoint (Sophos) and 3rd party auth provider (Okta)? Can it also deal with this stuff?

It can ingest anything you want, it has connectors, but can also take syslog or a myriad of other sources, even logs from AWS or GCP accounts, SaaS services etc.  It's pretty impressive and has a boat-load of threat hunting queries built in.

[hippy]

Thanks @clarkee I'm going to mention it to the powers that be. I'm surprised we've been looking at other options without this being suggested. Maybe there's a cost reason or something.

 

[Florian]

38 minutes ago, clarkee said:

It can ingest anything you want, it has connectors, but can also take syslog or a myriad of other sources, even logs from AWS or GCP accounts, SaaS services etc.  It's pretty impressive and has a boat-load of threat hunting queries built in.

yeah. 

 

Many Sensors like citrix / fortigate are based on a linux collector vm (linux vm with which recive the syslog messages and forward them to the Sentinel Log analytics workspace).

preferably in the CEF format 😉

 

what is even cooler at Sentinel is that you can change the time you wanna hold the data. like you can define that data in specific tables will be available for 1 month and after this it's getting moved into archive storage (10x cheaper for storage but you pay the bringback) 
Ingest, Archive, Search, and Restore Data in Microsoft Sentinel - Microsoft Community Hub

What's new in Microsoft Sentinel | Microsoft Learn

[DrDisexon]

I have tried only ELK, Wazuh, IBM Qradar and Splunk. Heard Sentinel is good never tried though.

I like ELK because it is free and Its in my honeypot use it often and have written couple of rules of ELK