You may also want to consider the MITRE ATT&CK framework. https://attack.mitre.org/

Best Practice Papers Additional detail is available in several public papers vetted by SANS that have become industry best practices  A Process for Continuous Security Improvement Using Log Analysis https://www.sans.org/white-pap... #33824  Successful SIEM and Log…

It's best to start your search based on the use cases/problems you need to solve.  Each product has strengths and weaknesses. I'd suggest you may want to consider UEBA and SOAR in the decision.  Our SOC teams just don't have enough people, and SIEM rules turn out high…

SIEM focuses on correlation - detection, both known (and with UEBA), unknown/0 Day anomalies XDR focuses on blocking - usually of only known patterns - If on Threat Intel List, block - much like implementing AV at a firewall/network level, not entirely dissimilar to IPS.…

As several have said, it depends on quite a few factors 1. What use cases are you trying to solve?  - Search/Threat Hunting is easy and a baseline, Splunk does a great job, as do Sumo, AlertLogic, Devo and a few others in the cloud for even less than Splunk. - Threat…

@Norman Freitag It's not top rated by analyst firms. While it's easy to ingest data it takes a lot of care and feeding and licensing gets expensive as the size grows. Good for NOC use cases, much tougher for SOC, and requires expensive add ons like Caspida for Insider and…

You're describing the use cases for a Web Application Firewall. Web-specific IDS, injection, attack detection and mitigation.  Cloudflare is one you might look at. Imperva, Whitehat... several vendors and products to choose from. One in the cloud that also does DDoS…

Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage Typical SOAR playbooks automate the…

It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but…

SIEM vs UEBA 1. SIEM is designed to store events for extended periods (typically 365 days), UEBA violations/rule triggers add to risk scores but generally function on real-time data and < 30-day old data 2. SIEMs are generally Rule-Based - "If X Happens Y Times in Z Time…

@Shibu Babuchandran Splunk gets expensive as your size grows. It's the St. Bernard puppy.   ELK Metron, Greylog are the common entry log collectors if you have a minimal budget. But I would suggest small organizations should look to partner with an MSSP for managed SOC/SIEM…

As a rule, a SIEM correlation should:  1) Reduce events by 99.99% - raw events to correlations 2) Impact system performance by <1%  3) Produce Correlated Threats with >35% true positive rate on investigation - 33% are usually false positives or misconfigurations (not real…

Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.   We use NXLOG at Securonix.  I would suggest if you need to deploy…

There are 26 base use cases every SIEM should run that find Indicators of Compromise (IOCs) on machines.  They follow two basic patterns - Everything Counts in Large Amounts and Do Any Two Things Wrong, Go to the Top of the List.  Success After Fail is another common…