3 Replies Latest reply on May 8, 2014 10:28 AM by mnickens

    Filters best practices


      hello ...


      I am new to the SIEM tools and a fresh graduate from collage.


      we are implementing the LEM tool in our company and my boss asked me to find the best practice for the filters, meaning what are the best filters for the connected nodes (e.g. antivirus ), what should we keep from the predefined filters and what should we remove, and what to add if necessary.

      the nodes he gave me are:

      - antivirus

      - Firewall

      - router

      - exchange

      - active directory



      please if you could help me or direct me to a URL that can help me that would be appreciated.

        • Re: Filters best practices
          Ram Esakky



          You can refer to the SIEM whitepaper here, it gives an overview of SIEM logs and events. You can also download a fully featured SolarWInds Log and Event Manager here for 30-day free evaluation. Please fell free to call our support if you need help with installation.



          -Ram Esakky

          • Re: Filters best practices



            Depending on the type of organisation you are working for, you may have requirements to remain compliant to a set of guidelines or have to monitor, audit or report on certain activities on your systems. It is worth seeking this guidance from your company and identifying how LEM can help you achieve this. Note that the out of the box configuration may not necessarily achieve this, so you may have to add and start specific connectors, manage additional nodes, schedule reports and perform nDepth queries. Filters are fine for monitoring current events, but if you close the console and re-open it, you will have a gap in the events received to your console. I would tend to use nDepth and rules for auditing and alerting of events.

            • Re: Filters best practices

              I must say Garreth's suggestions are right on point.  I could be off base with my thinking but asking what are some best practices is a little like playing darts blind folded.  You can not hit your requirements without knowing what they are.  With SIEM solutions the best best practice you can have is learn to find out what your monitoring requirements are.  I am not saying many users on the community do not have specific rules that we implement over and over again but they like in my case I support clients primarily within the Federal Government.  This means I have a baseline and best practices for monitoring that encompasses regulations and compliance in that community.  All organizations infrastructure is different and have different policies and regulations that govern them.  I am sure this may not be what you wanted to hear.  If you are looking for specific Filters, Rules and Reports it would help to post what your organizations general requirements or pains are and then ask what are some best practices the community uses to meet them.


              Hope this helps.