Follow

If you are a SIEM user/engineer, what do you use to track changes to rules, especially documenting your tuning efforts ?

@sidoyle Git gets suggested. Also internal wiki with history.

@superruserr thanks, we have an internal Wiki but more form work instructions and playbooks, along with “friendly intel” to help analysts. I’ve thought about git, will give it some more thought. Thanks.

@sidoyle

This looks promising: s3.sitepoint.com/examples/git- for git.

If GH, I've seen large orgs use private Github repos which could be a problem.

That and GH Command and Control type attacks nostarch.com/download/BlackHat

@sidoyle We are using a spreadsheet to document rule changes. When we go underneath the admin web interface to tweak, we create change records in our ITSM tool.

@seb thanks Seb, I’m definitely pushing for the use of ITSM to record changes. I think we will need more than a spreadsheet, probably look at git repo or use our wiki somehow.

@sidoyle We review the effect of rule changes every week (especially important with ML based rules) and therefore wanted an easy way to pull them up in our weekly SOC meeting. Our ITSM isn’t as practical for that.

@sidoyle Change tickets and wiki docs!

And quarterly reviews of each SIEM.

@robertcc Agree on change tickets, possibly use our wiki but also looking at possibly using a git repo.

@sidoyle It would definitely be slick if your workflow can support tracking changes with git commits. There is plenty of room in there too for change approval and change automation only.

@sidoyle @jerry git - if it’s not in git it did not and will not happen. Easiest way to review and approve

@sidoyle since some SIEM rules or configuration files are very syntax specific, and sometimes encoding specific, I usually find integrity monitoring useful. Git is pretty great for that - and repo for the file versioning or testing.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.