3 Replies Latest reply on Aug 1, 2017 11:51 AM by jrouviere

    False Positive Events_SIEM

    kdevmu

      What are the most generic false positive events triggered on SolarWinds LEM or on any other SIEM?

        • Re: False Positive Events_SIEM
          jrouviere

          That question is pretty broad, do you have a specific example of what you're looking for?  I would say logon failures in a way.  The LEM normalizes the data that is being generated by your system, so it's legitimate events, but you would see Inferred Incidents reported for multiple logon failures, say in 30 seconds, that may trigger additional alerting depending on your rules.  This could be an attack, or it could be someone changed a service account password and hasn't updated the appropriate configs yet (tools, scripts, network shares, etc).  You would have to dig into the data to find out why it's happening, where it's happening and then resolve it so that you don't get those events.

          • Re: False Positive Events_SIEM
            curtisi

            I can't speak to any other SIEMs, but I'd say the most chatty false-positive for new customers is the "Suspicious DNS Traffic" rule.  I see customers turn this rule on without understanding that they need to define a list of Approved DNS servers, so LEM then flags ALL DNS traffic as suspicious.  It's an easy enough thing to fix, but there are stock rules that need just a little extra information to provide meaningful alerts.

            1 of 1 people found this helpful