Its one thing to have lots of events pouring into your SEIM server but what do you do when the data flashes by so fast you can’t read any of it? Well you create filters of course if you don’t want to use the canned filters that come with your SEIM product or if the canned filters do not catch what you want to see.
The problem with creating your own filters is you have to know exactly what events to look for. I always start with the canned and then try to see what does come through and use those parameters to create my own filters. Unfortunately this time there was not a canned filter that worked so I had to let the flood of the “ANY ALERT” wash over me and pause the onslaught periodically to see what was coming in and if it correlated to anything I was looking to filter out.
This was successful but it took a while and number of test filters until I figured out what I wanted to be in each filter. Now some people, probably in the previous paragraph, were mumbling about reading the instructions but I have not found that you should do that until you get stuck. You’d be surprised what your own ingenuity will figure out when the instructions don’t lead the way. Besides with SEIM the instructions only discuss the how not the what to monitor/filter/correlate.