PaulDotCom mailing list archives
SOC common/best practise?
From: k41zen Me <k41zen () me com>
Date: Wed, 21 Jul 2010 21:41:58 +0100
Our SOC understandably take in feeds from AV, IDS and Firewalls to their log correlation engine. Apparently when an alert is fed in to this correlation engine, the SOC analysts have to log in to the management consoles of the AV solution, the IDS solutions and the Firewall solutions to be able to: 1) Validate the alert sent to their log correlation engine 2) Obtain further information about the alert to attach to a service call for investigation This seems odd to me but I'm not a SOC analyst and wanted to throw this out there to the people that would know. So my questions are: 1) Does this sound like common practise and/or best practise? 2) Does it sound like little faith in the correlation engine or agents deployed to report into it? 3) Not enough information about the alert being sent to the correlation engine? 4) All of the above? 5) None of the above? Grateful for any insight. k41zen _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- SOC common/best practise? k41zen Me (Jul 21)
- Re: SOC common/best practise? CP Constantine (Jul 22)