Security Information Event Management
Finally I setup my home IDS: Snort & Snorby on top. The goal: to see what is going on in my Internet traffic, is there anything interesting. Also Snort output will be collected by home Splunk instance. The screenshot below shows only test events, nothing serious 🙂 I used this guide: Home IDS with Snort … Read more
ArcSight Smart Connectors has a very useful feature: it is possible to set up a filter to filter out unwanted events and don’t send them to a destination (ESM ArcSight, Logger, etc). It works very well at the ESM ArcSight – you just need to open connector’s properties, select the “Filter” tab and create a … Read more
Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only … Read more
Introduction I attended many sessions at the “HP Protect 2012” conference last September and one of them – the “Plug it in!” by Doron Keller (HP/ArcSight) was very interesting for me. As a former software developer, I always like any possibilities of enriching features of an existing product by writing few lines of code. Furthermore … Read more
The “Replay” (also known as Test Alert) agent at the ESM ArcSight – is a very powerful tool for developing and debugging rules. You don’t need to wait until a real (and probably rare!) event will be received by the ESM Manager only to check that the rule produced incorrect result. Of course a test … Read more
I wrote a small introduction article about log monitoring and how it relates to advanced threats detection. Why using of SIEM is important. Read the article.