SIEM Metrics and Success Criteria. Help please!

thman

I just started my first security engineer role and they have me managing their LogRhythm SIEM. It just got installed a month or so before I started. I've never managed a SIEM before.

Can you guys help me with some good metrics and success criteria. Examples are below. 

Metric
# of failed user logins per week

Success Criteria
Log sources that stop reporting are remediated within 24 hours

The metrics will be reported weekly. Any help will be greatly appreciated. 

thman

Anybody? lol.

Madmaximus

Hey , I am new here and this is my first post. Anyway, I am also using LogRhythm as our SIEM at work but I don't manage it. I would highly suggest that you explore the LogRhythm community/support portal as it has tons of useful information from LogRhythm itself and from other LogRhythm admins/users. 

JDMurray

Welcome to TE!
Do you have a link to the LogRhythm portal? I'm a Splunk user myself

Madmaximus

Thanks @JDMurray !

Here it is - logrhythmcommunity.force.com/ but I believe this is for their customers only. 

TechGromit

I'm not familiar with LogRhythm, but they all operate similar. You can set up reporting to what's important to you. Some of ours is failed logins, Clear logs, USB insertions, New user accounts, Password changes, privilege's escalation, etc. The hardest part of most SIEMS is getting the system to give you alerts, without unnecessary spam. A certain amount of tuning is necessary to filter out the crap and leave you with manageable alerting. I recall our old system, Industrial Defender, we initially got thousands of alerts a day before we got the spam filtered out.