Our SOC understandably take in feeds from AV, IDS and Firewalls to their log
correlation engine.
Apparently when an alert is fed in to this correlation engine, the SOC analysts
have to log in to the
management consoles of the AV solution, the IDS solutions and the Firewall
solutions to be able to:
1) Validate the alert sent to their log correlation engine
2) Obtain further information about the alert to attach to a service
call for investigation
This seems odd to me but I'm not a SOC analyst and wanted to throw this out
there to the people that
would know.
So my questions are:
1) Does this sound like common practise and/or best practise?
2) Does it sound like little faith in the correlation engine or agents
deployed to report into it?
3) Not enough information about the alert being sent to the correlation
engine?
4) All of the above?
5) None of the above?
Grateful for any insight.
k41zen
_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
