IBM Security QRadar

 View Only
  • 1.  What evidence do you provide for "Review SIEM logs" to your auditors?

    Posted Mon December 02, 2019 12:08 PM
    We have a compliance requirement to show that we are reviewing SIEM logs. There is no guidance from the auditors specifically what they are looking for in regards to show that SIEM logs are being reviewed. If you have this requirement as well, what screenshots or other sort of evidence do you provide? Thanks!

    ------------------------------
    Amy Morgan
    ------------------------------


  • 2.  RE: What evidence do you provide for "Review SIEM logs" to your auditors?

    Posted Tue December 03, 2019 03:23 AM
    Usually the auditor will conduct interviews, observer the tools in use and automated notifications as well as review documents (policies, procedures, reports...) to establish if regular reviews were practiced.
    So, it would be expected that the designated analysts get regular notifications about major events, set of reports and initiate follow-up on something they deem as potentially important. In QRadar you could also set the daily report with info about all the high magnitude offenses or offenses of a particular type to be sent via e-mail.
    I would expect to see that regular joint reviews by the team are performed to discuss and evaluate the noticed events, follow-up incident cases and lessons learned (if such were open), any new trends on type of events/incidents, discussion on creation of new use cases based on the analysis etc.

    ------------------------------
    Dusan VIDOVIC
    ------------------------------



  • 3.  RE: What evidence do you provide for "Review SIEM logs" to your auditors?

    Posted Tue December 03, 2019 09:02 AM
    Hi Amy,

    If the auditors did not specify their requirements then you can list down all the rules and log sources and all log sources types to tell them what logs are being monitored.
    1) First tell them the number of log sources you are receiving or collecting logs from​.
    2) Then show the type of log sources you are collecting logs from like IDS/IPS/FIREWALL ETC
    3)Then tell them what are you monitoring in those logs which means rules.
    Example
    1) You have rule to monitor disabled accounts or admin accounts in windows or root accounts in unix.
    2) If you have rule for failed login attempt
    3) If you have rule for malicious files found on different endpoints.


    You can provide details like this depending upon your environment, And this is only if auditors do not have any specific requirement.

    Otherwise whatever they ask then we have to provide that.



    Regards
    Asif Siddiqui



    ------------------------------
    asif siddiqui
    ------------------------------



  • 4.  RE: What evidence do you provide for "Review SIEM logs" to your auditors?

    Posted Tue December 03, 2019 09:44 AM
    We are also facing the same matter with auditors. What a coincidence!

    Given the fact that my QRadar appliance was deployed in September, so there was actually no specific procedure for mandating us to review logs regularly. However, as per the audit principle, it is normally expected that such task shall be performed in a periodic manner. To have a workaround for this issue, I submitted the screenshots of offenses within the given time period as well as other screenshots giving an insight in these alerts (to show the contents of "add note", "follow up", "reason for closing offense". Besides, if you have any communication in writing to other teammates or stakeholders, you should show them that evidence (email...)

    ------------------------------
    Nam Tran Quoc
    ------------------------------



  • 5.  RE: What evidence do you provide for "Review SIEM logs" to your auditors?

    Posted Tue December 03, 2019 10:42 AM
    It seems at first blush that the answer to reviewing the logs  is that the Use Cases (Offenses) you  have set up is the automated method that you use to review logs.  II suppose if you manually search events and flows looking for items that constitute exceptions, than that would be the answer as well.   I would suggest, however that having offenses for audit exceptions would be the best answer, assuming of course you do have offenses for those occurrences.

    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------