SIEM Metrics and Success Criteria. Help please!

thmanthman Member Posts: 3 ■■□□□□□□□□
I just started my first security engineer role and they have me managing their LogRhythm SIEM. It just got installed a month or so before I started. I've never managed a SIEM before.

Can you guys help me with some good metrics and success criteria. Examples are below. 

Metric
# of failed user logins per week

Success Criteria
Log sources that stop reporting are remediated within 24 hours

The metrics will be reported weekly. Any help will be greatly appreciated. 

Comments

  • thmanthman Member Posts: 3 ■■□□□□□□□□
  • MadmaximusMadmaximus Member Posts: 9 ■■■□□□□□□□
    Hey , I am new here and this is my first post. Anyway, I am also using LogRhythm as our SIEM at work but I don't manage it. I would highly suggest that you explore the LogRhythm community/support portal as it has tons of useful information from LogRhythm itself and from other LogRhythm admins/users. 
  • JDMurrayJDMurray Admin Posts: 13,090 Admin
    Welcome to TE!
    Do you have a link to the LogRhythm portal? I'm a Splunk user myself ;)

  • MadmaximusMadmaximus Member Posts: 9 ■■■□□□□□□□
    Thanks @JDMurray !

    Here it is - logrhythmcommunity.force.com/ but I believe this is for their customers only. 
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    edited June 2021
    I'm not familiar with LogRhythm, but they all operate similar. You can set up reporting to what's important to you. Some of ours is failed logins, Clear logs, USB insertions, New user accounts, Password changes, privilege's escalation, etc. The hardest part of most SIEMS is getting the system to give you alerts, without unnecessary spam. A certain amount of tuning is necessary to filter out the crap and leave you with manageable alerting. I recall our old system, Industrial Defender, we initially got thousands of alerts a day before we got the spam filtered out.    
    Still searching for the corner in a round room.
Sign In or Register to comment.