Showing results for 
Search instead for 
Did you mean: 
Create Post

Getting the most out of your SIEM, Step #1 Know yourself and your tools.

Level 11

A SIEM tool is not a vacuum cleaner; you can’t just turn it on and have it siphon up all your log information, and bag it up nicely for you to later dump with out getting your hands dirty. A SIEM requires hands on work, and careful consideration of your particular environment. What may be perfectly normal in your environment may very well be a red flag for another environment. Many times companies will buy a SIEM to simply "check off the box" of some compliance requirement without ever seeing if the solution will work for them.


SIEM vendors, including Solarwinds, have worked diligently to make the out of the box experience with SIEM more “vacuum-esque”, with easier configuration tools, and out of the box rules, alerts and reports. Unfortunately there is no one-size-fits-all approach a vendor can take to apply to all industries and businesses.


With all that being said I would encourage the following: Know your network, spend time with it (many of you already do). Then spend time and effort configuring your SIEM for your network and your needs. In the end it will be a much more fulfilling experience. After all, what is the point of a tool if it isn’t used properly?


I can from experience on this: Have a plan! Have a plan when rolling out any SIEM, preferably Solarwinds LEM, in your network environment. When I first purchased it for my company it was strictly for Windows servers. And then I learned how LEM integrates with Sophos anti-virus, firewalls, Windows File & Directory structure, routers, switches, load balancers, VMware,, and the list keeps going on and on. Soon I found myself in a lake of scope creep!

  I am sure the purchase of a SIEM tool is bound to a business case and business need. Satisfy that need first and then move on to the next "Value Add's" that the SIEM tool can offer. You will ensure success, win the day, and continue to plug gaps in your network security.

Level 11

Thanks Peter! We love hearing stories like this (not that we enjoy your pain, but we like knowing real-world struggles people face). Thank you very much for sharing.

Level 11

Spending a couple of years working with SIEM products and doing IA withing the realm of networking I have learned that SIEM encompasses all aspects of security and risk management. LEM does integrate with the complexities of different vendors and their products. When you are able to retrieve logs and live activity from devices and servers and be able to display and send alerts out using tools, you not only are able to react to network violations and possibly intrusions and patch the holes, so to speak. You can also be pro-active because you are able to see trends and fix issues within the network that could be exploited. Sometimes, you may miss one of the gaps that Peter talks about, but you also have the ability to do forensics that help you to discover what happened and ensure that it doesn't happen again.They are value added products and the ROI is something that businesses shouldn't have to think about doing. In this day and age of hacks and database intrusions that steal personal data, there really shouldn't be any I need to think about spending that kind of money and do business as usual.

I'm still trying to get my Security team interested in this, but they just bought Splunk for beaucoup $$ and are enthralled with the amount of data they can mine.  For my money, SW makes a much more intuitive GUI than Splunk.  But those guys are deep into command line and database analysis, so maybe Splunk is OK for them to use.  As long as it's worth the big bill.

Level 9

Curious as to how you are integrating it with Sophos AV.  We are running Sophos AV (looks like version 10.3).  I have the agent installed on the server and I have a the SophosSNMP and the Sophos Enterprise 3.0 connectors enabled.  I haven't really seen any useful data coming from it (at least from Sophos).  Any suggestions on how to get it forwarding?  What type of info does it log and if you don't mind, how are you using it? Alerts? Automated action rules?  Thanks.

whpd​ it wasn't easy, and with the constant updates that we have been receiving from Sophos the past 12-16 months have been driving us crazy (on many levels). As expected Sophos writes a TON of logs. My engineer worked a lot with Sophos Support to try to filter them out but to no avail. It required us to grow space to accommodate. Our Sophos is monitoring about 3,500 servers and workstations with many of them being remote sales reps who only come in the office once a week. So we get a lot of peaks and valleys which is an absolute headache when trying to do Capacity Planning. Honestly, I am not sure I am all that happy with Solarwinds LEM capturing Sophos logs. If I can ever get some consistency out of the marriage between the two I'll make a decision.

Level 9

That's a bit disappointing, but thanks for replying.

You're welcome! Feel free to mark my initial comment as 'Helpfyl'! I'm slummin' for Thwack points!  🙂

  Also, if things get better I'll keep you in mind and shoot you a note.

Level 7

I think it is a mindset. I like Splunk and prefer it to LEM. Most likely because I started out programming at the hardware level. To me a GUI interface is always a compromise. For you LEM's GUI is intuitive, for me it is a frustrating experience. For me I love building a massive regex in Splunk and go bonkers trying to figure out how to setup Correlations and Correlation Time. And don't get me going on TOT. Every time I think I'm understanding it, I come back to it a couple of weeks later and I've totally forgotten how to use it

Level 9

Implementing a solution just to "check off a box" will lead to even bigger compliance issues down the road, I guarantee it.  No SIEM is a "set it and forget it" tool.  If you're not going to dedicate the time and resources necessary to implement and maintain, you're better off throwing your pennies (dollars, credit cards) in a fountain.