[netsa-tools-discuss] Planning to offload Qradar SIEM noisy rules to SILK
asad
a.alii85 at gmail.com
Mon Nov 2 08:54:39 EST 2015
Hello,
I have an interesting case, where the SIEM Qradar is busy 90% of time using
information from traffic logs of different firewall e.g cisco asa. This was
done before the introduction of SILK into the env.
Now, these rules how the work are very useful for correlation itself, for
e.g in 1 hour time 100 different destinations were communicated with the
same dest port and from same source IP.
Qradar has builtin-rules to use data from traffic log to detect these
suspicious traffic which after analysis comes either as scanners, malware
or just noisy servers i.e NMS.
My plan is to transfer the logic behind these rules to SILK analysis
pipeline , for start I'm using cisco asa since its the most nosiest of log
source into SIEM.
Most of the conditions in the logic are fairly easy to transfer into
alerting parms provided with pipeline.conf, however I'm unable to know how
can I reproduce the following. For e.g certain rules work in SIEM based
upon event-name coming from cisco asa traffic log e.g "firewall accepts,
firewall deny, session open and session close".
I know that cisco asa nsel format is event driven, there is no information
of FLAGS that goes into flow data from cisco asa. Thus, I want to know in
the absence of FLAGS information does the SILK provide the ability to
gather 'event-name" information e.g session created and can be used as part
of filter or better alerting condition?
As without the info of event-name its very difficult to replicate logic
into SILK.
Hoping for some assistance on the issue.
regards
asad
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list