Friday, June 27, 2014

Tracking historical logs in SIEM

We often have incidents that are reported for whatever reason after the DHCP lease has expired and the host has received a new IP address. For whatever reason, the host name isn't captured when its reported to the SIEM. 
What are some solutions you have seen used to track the historical IP address of a device when we might not have the host name? 
This seems like a common issue but I haven't seen any one method that works for all organizations. 
DHCP can be received from a network device or Microsoft Windows DHCP server so is the answer to track locally and send that information to SYSLOG?

Whatever your DHCP sources are, make sure you log them all, for all networks in scope. Make sure your log source timestamps reconcile with a common NTP source, and take in to account your various timezones if your network locations span multiple geographic regions.
at No comments:
Labels: , ,

Websense audit trail logs in QRadar


Websense uses their Multiplexer service to filter events from logs to generate Syslog events for QRadar (or any other SIEM). I do not know if the audit logs are exported or supported by the Multiplexer, as the audit logs are generated in HTML/Excel format.

If the Multiplexer service does not support audit logs, then existing Device Support Module (DSM) for Websense TRITON would need a protocol update to support a method retrieve and parse the events. The DSM would also require a review of the audit event format generated by Websense to ensure that they are parsed and categorized properly.

Can QRadar SIEM collects the Websense audit trail logs that shows which administrators have accessed TRITON - Email Security, as well as any changes made to policies and settings.

Link:http://www.websense.com/content/support/library/email/v76/esg_help/customizing_audit_log_explain_esg.aspx

We followed the dsm guide to collect the logs for websense, we are getting the application logs but not the Websense audit trail logs.


If Yes? Please share the detailed process.

Appreciate your help at the earliest.
Websense Email Security provides an audit trail showing which administrators have accessed TRITON - Email Security, as well as any changes made to policies and settings. This information is available only to Super Administrators. Monitoring..
at No comments:
Labels: , ,

Tuesday, June 17, 2014

How to Stop Cyber Attackers?





Business happens everywhere. Employees access applications from smartphones, and developers provision cloud resources on demand. Security must travel with the user and the data, especially outside the walls of the organization.
Instead of evolving their practices, organizations layer on more and more tools from multiple vendors, each one claiming to solve a new part of the problem. These isolated tools are unable to prevent new breeds of attack and can’t provide the security team a view of what’s going on across the enterprise.
at No comments:
Subscribe to: Posts (Atom)