How many "critical" alerts do you normally receive from the SOC? #10150
Replies: 2 comments 1 reply
-
|
DebianGuru, In response to your issue about large amounts of critical alerts, you can look to tune out certain types of traffic within your company. To give an example, you could input a BPF to tune out your Nessus scanner and not receive alerts about it within your SOC -- I highly recommend reading this page within the documentation: https://docs.securityonion.net/en/latest/bpf.html(.) You can also look into tuning out specific Suricata rules that you do not think would pertain to you -- you can view it here: https://docs.securityonion.net/en/latest/managing-alerts.html#identifying-rule-categories(.) I hope that this information helps. |
Beta Was this translation helpful? Give feedback.
-
|
eb-op, Thanks for the reply, but maybe I wasn't clear. I'm not having problems with my amount of alerts. I actually hardly ever see a "critical" alert. I was wondering if other people see these as infrequently as I do. |
Beta Was this translation helpful? Give feedback.
-
|
I think perhaps you should more clearly define the "critical" aspect of any alerts you may see in terms of positivity before making response plans. I see all the same alerts critical or otherwise every day due simply to a lack of tuning. But if you want to have a true, credible active response in a 24x7 environment, that means exactly what it says - not phone calls and emails. I imagine that's where outsourcing comes in. Looking at only inside, seems like a fairly low bar to keep in-house, but what do I know... |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I'm in a strange situation at work. Our company executives are seeing if there's a need to staff additional IT staff our outsource to another solution. We don't have a 24x7 staff so we explained that we cannot investigate alerts real-time as they pop in. So they have asked if we could have someone "on call" for only critical level alerts. Our IT dept. would rather keep things in house and answer a couple of email alerts a month than farm it out. However, we don't want our only security guy (who wears many other hats) (me) responding to alerts all hours of the evening and night.
Over the last 6 months, I've only seen critical alerts being triggered when I run our monthly Nessus scans. I'm not watching the outside zone on the firewall, just traffic within various segments of our LAN and DMZ.
So, I'm looking at the community to see how many CRITICAL alerts you're seeing in say a month. Please, give me some context as to the size of the network you're monitoring also. I imagine that someone watching 100 devices would see less than someone with 10,000. Perhaps, you could specify the number of users/endpoints in your network to give me a better picture.
Beta Was this translation helpful? Give feedback.
All reactions