Chris Posted November 8, 2022 Share Posted November 8, 2022 We are just evaluating Fortinet's "FortiSIEM" as a central MSSP platform for our customers. It is claimed to be very good in OT environments (which I am about to verify). If anyone is interested, I can write up our experiences as soon as I have some. Link to comment Share on other sites More sharing options...
Florian Posted November 8, 2022 Share Posted November 8, 2022 3 hours ago, Szeth said: Basically stay away from anything that needs you to stand-up dedicated servers to manage (like qradar or logrhytm) because you can spend as much time keeping them alive as you do looking at alerts in them. this sentence is so true in many ways. -> i know the same shit in case of configuration management, Logmanagenemt, monitoring. these are critical things and if this happens you are f*cked. 1 Link to comment Share on other sites More sharing options...
Florian Posted November 8, 2022 Share Posted November 8, 2022 26 minutes ago, Chris said: I can write up our experiences as soon as I have some. yes please Link to comment Share on other sites More sharing options...
Szeth Posted November 8, 2022 Share Posted November 8, 2022 53 minutes ago, Chris said: We are just evaluating Fortinet's "FortiSIEM" as a central MSSP platform for our customers. It is claimed to be very good in OT environments (which I am about to verify). If anyone is interested, I can write up our experiences as soon as I have some. I would also be keen to hear about this. My previous job moved from FortiSiem to LogRhythm just before i started. I only heard not great things about FortiSiem, but they’re the only ones ive known to have used it Link to comment Share on other sites More sharing options...
Böset Posted November 8, 2022 Share Posted November 8, 2022 Any tips for good open-source SIEM systems? Link to comment Share on other sites More sharing options...
clarkee Posted November 8, 2022 Share Posted November 8, 2022 13 minutes ago, Böset said: Any tips for good open-source SIEM systems? Graylog or Elastic are both fine, I prefer Graylog (https://www.graylog.org/) 1 Link to comment Share on other sites More sharing options...
karlyeurl Posted November 8, 2022 Share Posted November 8, 2022 3 hours ago, Chris said: We are just evaluating Fortinet's "FortiSIEM" as a central MSSP platform for our customers. It is claimed to be very good in OT environments (which I am about to verify). If anyone is interested, I can write up our experiences as soon as I have some. Count me amongst the interested folks. 1 Link to comment Share on other sites More sharing options...
stealyourface Posted November 8, 2022 Share Posted November 8, 2022 13 hours ago, malware_marty said: Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui 😉 o/ Me! I like it well enough. Not too hard to query. I'm a bit of a n00b so I can't say much more than that. I just wish it was a little faster, but it's fine for the amount of data that it has to sift through. 2 Link to comment Share on other sites More sharing options...
malware_marty Posted November 8, 2022 Share Posted November 8, 2022 23 minutes ago, stealyourface said: o/ Me! I like it well enough. Not too hard to query. I'm a bit of a n00b so I can't say much more than that. I just wish it was a little faster, but it's fine for the amount of data that it has to sift through. Glad im not the only one. Yeah, i’ve only been at it for a little over a year so I'm pretty new as well. I don’t know anything in terms of administration, but building dashboards and complex queries has always felt pretty intuitive. I agree it can be pretty slow. Link to comment Share on other sites More sharing options...
bigmacjpg Posted November 8, 2022 Share Posted November 8, 2022 15 hours ago, Florian said: I have not seen that before but it is pretty cool! Link to comment Share on other sites More sharing options...
Johan Posted November 8, 2022 Share Posted November 8, 2022 I've only had experience working as an analyst with Elastic and Q-radar, I much prefer Elastic over the latter. Other parts of our delivery has Sentinel and the guys involved with that seem pretty happy with it, haven't had time to get involved though- we're stretched thin as always. Heard some buzz from management about Coretex (XDR(?) or perhaps it was XSIAM), I'd be interested to know if anyone has any thoughts about it. Link to comment Share on other sites More sharing options...
vilkas622 Posted November 8, 2022 Share Posted November 8, 2022 Splunk was pretty good although not fun to manage. I've liked Sumologic, but I haven't really explored their dedicated security option (CSE) enough, most of my alerting and queries are in the normal log engine (CIP). LogRhythm was my least favorite by far, and InsightIDR was also a bit of a disappointment. 1 Link to comment Share on other sites More sharing options...
int21h Posted November 8, 2022 Share Posted November 8, 2022 On 11/6/2022 at 10:33 PM, ZedSec said: Thought I would contribute to adding in some topics. For those of you working on the blue side of things. What's your SIEM of choice? Personally I'm a big fan of Sentinel and Splunk. I've used some others but they're the clear leaders for me. question is, what scale are you looking at? the more data you can get in, the more value you can potentially get out it... but it will also increase the costs of bandwidth and storage. Not to mention some SIEMs don't scale very well and the license costs grow with the amount of data you pump in. Link to comment Share on other sites More sharing options...
softmayhem Posted November 8, 2022 Share Posted November 8, 2022 (edited) Splunk is an absolutely wonderful product... if your company is willing to shoulder the licensing costs. Edited November 8, 2022 by softmayhem 2 Link to comment Share on other sites More sharing options...
ChickenKing Posted November 8, 2022 Share Posted November 8, 2022 5 minutes ago, softmayhem said: Splunk is an absolutely wonderful product, if your company is willing to shoulder the licensing costs. 200% agree here. only main detractor from splunk is the cost. I absolutely love the product Link to comment Share on other sites More sharing options...
latortuga71 Posted November 9, 2022 Share Posted November 9, 2022 Sentinel all the way if you include the whole microsoft security suite. defender for identity etc. Link to comment Share on other sites More sharing options...
ajboilanger Posted November 9, 2022 Share Posted November 9, 2022 I work for a SOC and we use Splunk. It's been really great to use for the most part, and my team works closely with the Splunk team so if I ever have a question it's usually pretty easy to get in touch with someone who knows the answer. 1 Link to comment Share on other sites More sharing options...
lost-troll Posted November 9, 2022 Share Posted November 9, 2022 For work I have been the primary person for ArcSight, LogRhythm, and Securonix. ArcSight (ESM with Logger) was probably my favorite, it took a lot of work to keep alive, but there was a ton of cool stuff you could do with correlation rules that I haven't been able to do with any other SIEM. LogRhythm is great for setting up a SOC in 24 hours. You can drill down for days, and pivot like crazy, but searching is very weak. I wouldn't go back to LogRhythm because of the lack of a decent query language. Securonix is my latest and I'm not sold on it yet. I don't really trust it, I feel like something is always broken, but it's never the same thing twice. For home (I push router firewall logs, pihole, sysmon, SSH honeypot, windows security, and apache logs) I have used Alientvault, Elastic, Graylog and Splunk. Splunk has been my favorite by far - I just use the free license and am barely under maximum utilization. Alienvault was ok, but onboarding custom data sources was rough. Graylog I liked, but custom data sources with grok was a bit of work. And it randomly died on me one day, so I moved on. Elastic I never really got working, was likely a me problem. I'm kind of a SIEM junky, ultimately everyone hates their SIEM and is always looking for a better one. 1 Link to comment Share on other sites More sharing options...
bloq Posted November 9, 2022 Share Posted November 9, 2022 On 11/8/2022 at 2:43 PM, malware_marty said: Any other Sumo Logic users? as the first SIEM i’ve used it was pretty great to learn on. splunks ui cant compare to sumos futuristic spaceship ui 😉 +1 - Sumo does the job pretty well really - and devs quite like their general logging platform so gathering inputs isn't too hard. 1 Link to comment Share on other sites More sharing options...
nsfrnm Posted November 9, 2022 Share Posted November 9, 2022 22 hours ago, clarkee said: Graylog or Elastic are both fine, I prefer Graylog (https://www.graylog.org/) second this 1 Link to comment Share on other sites More sharing options...
hippy Posted November 9, 2022 Share Posted November 9, 2022 People using Sentinel - what does it ingest? Event logs and? What if you're using 3rd party AV and Endpoint (Sophos) and 3rd party auth provider (Okta)? Can it also deal with this stuff? 1 Link to comment Share on other sites More sharing options...
clarkee Posted November 9, 2022 Share Posted November 9, 2022 1 hour ago, hippy said: People using Sentinel - what does it ingest? Event logs and? What if you're using 3rd party AV and Endpoint (Sophos) and 3rd party auth provider (Okta)? Can it also deal with this stuff? It can ingest anything you want, it has connectors, but can also take syslog or a myriad of other sources, even logs from AWS or GCP accounts, SaaS services etc. It's pretty impressive and has a boat-load of threat hunting queries built in. Link to comment Share on other sites More sharing options...
hippy Posted November 9, 2022 Share Posted November 9, 2022 Thanks @clarkee I'm going to mention it to the powers that be. I'm surprised we've been looking at other options without this being suggested. Maybe there's a cost reason or something. Link to comment Share on other sites More sharing options...
Florian Posted November 9, 2022 Share Posted November 9, 2022 38 minutes ago, clarkee said: It can ingest anything you want, it has connectors, but can also take syslog or a myriad of other sources, even logs from AWS or GCP accounts, SaaS services etc. It's pretty impressive and has a boat-load of threat hunting queries built in. yeah. Many Sensors like citrix / fortigate are based on a linux collector vm (linux vm with which recive the syslog messages and forward them to the Sentinel Log analytics workspace). preferably in the CEF format 😉 what is even cooler at Sentinel is that you can change the time you wanna hold the data. like you can define that data in specific tables will be available for 1 month and after this it's getting moved into archive storage (10x cheaper for storage but you pay the bringback) Ingest, Archive, Search, and Restore Data in Microsoft Sentinel - Microsoft Community Hub What's new in Microsoft Sentinel | Microsoft Learn 1 Link to comment Share on other sites More sharing options...
DrDisexon Posted November 11, 2022 Share Posted November 11, 2022 I have tried only ELK, Wazuh, IBM Qradar and Splunk. Heard Sentinel is good never tried though. I like ELK because it is free and Its in my honeypot use it often and have written couple of rules of ELK 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now