Recommended SIEM Events?

solar-n00b

Hi Everyone...I'm setting up some alerts for the LEM to capture, and I was wondering if the community is aware of any "best practice" alerts to ensure are enabled.

For example, I know that events like Account Creations/Deletions, Port Scans, etc should be enabled but what others are recommended?

Thoughts are welcome!

Thanks much!

marcusmm8

One struggle i have is what type of alert (incidents and/or email notification). We have seen occasions where auditors see the incident but ask if an email also went out.

Requirements are a good indicator of what to monitor (i.e. PCI). As far as nonagent devices, definitely try to capture admin activity. Syslog docs have the logs grouped to assist.