locked
SIEM integration RRS feed

  • Question

  • We have ATA running but we don't own any of the SIEM products listed (Splunk, ArcSight, RSA, QRadar).  Two questions

    1. Are there any other SIEM integrations coming soon?  That may influence our purchasing decision if we can have some advance notice.

    2. Does Microsoft have any SIEM-like solutions either on-prem or in Azure?  I have been sampling Microsoft OMS, and Azure Log Analytics.  Not sure if they count as SIEM.

    Thursday, November 9, 2017 3:18 PM

All replies

  • What SIEM solution/s do you currently have?
    Thursday, November 9, 2017 3:22 PM
  • I don't know that we have an official SIEM on-prem.  But here's all the management/monitoring stuff we do have running at the moment.

    1. Microsoft Advanced Threat Analytics (once Center - two Light Gateways running on DC's)

    2. SolarWinds Orion with Server Application Manager/Network Performance Monitor

    3. SolarWinds Log & Event Manager (maybe closest to a SIEM - we don't like it much)

    4. McAfee ePolicy Orchestrator - for antimalware (run McAfee Endpoint Protection on nodes)

    5. SolarWinds ipMonitor

    6. RedGate SQL Monitor

    7. VMware - virtual infrastructure with Windows guests

    I have been evaluating Microsoft OMS and Azure Log Analytics but haven't gotten very far.

    We aren't married to any of these products by any stretch. I'm more interested in new solutions and if ATA is integrated with any, it would help our search.  Even better, why not have Microsoft provide a SIEM solution?

    Thoughts?

    Thursday, November 9, 2017 3:36 PM
  • Oh, and as far as collecting data from devices, we also have a Palo Alto firewall, a Fireeye, and a F5 Load Balancer.  We use HP ProLiant servers, HP Switches (ProCurve) and HP LeftHand storage units.  So a SIEM solution should be able to pull logs from all those places.
    Thursday, November 9, 2017 3:40 PM
  • You don't have to use a SIEM solution if you don't have it already,

    you can forward Windows events directly from Windows via WEF.

    orgs that already have a SIEM that gets all the data can send it wasily from a single point which is easier.

    Anyway, if you are installing LWGWs only on all your DCs, and use V1.8.1  we don't need it , we can simply read the data directly from windows event logs.

    "o enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729, 4756, 4757. These can either be read automatically by the ATA Lightweight Gateway or in case the ATA Lightweight Gateway is not deployed, it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEM events or by Configuring Windows Event Forwarding."

    https://docs.microsoft.com/en-us/advanced-threat-analytics/install-ata-step6

    Thursday, November 9, 2017 3:43 PM
  • Interesting.  So you are saying that SIEM integration was done as an ALTERNATIVE to collecting Windows Events IF the company already had the SIEM solution in place?  

    Also, are there any non-Windows-based events that a SIEM would provide that would be of value to ATA?  or does ATA only care about Windows-based events?

    Thursday, November 9, 2017 3:52 PM
  • Also,

    1. any discussion about adding integration with SolarWinds Log & Event Manager?

    2. does Microsoft have any SIEM-like solutions (either on-prem or in cloud)?

    Thursday, November 9, 2017 4:07 PM
  • For now, only the windows events specified in the link I provided.
    Thursday, November 9, 2017 4:08 PM