We're going to be deploying Splunk as an SIEM shortly.
In past engagements, I've used HP Arcsight, and used their "Active Lists" extensively. These are small tables (from a handful to a tens of thousands of entries) which can be used in real-time to help build correlation rules.
E.g., if an IPS scan signature trips, it will add to an "Attackers" active list. If another signature fires such as "brute force login", from somebody in the "Attackers" list, it would cause a high severity correlated event to fire. The list might have a 6 hour expiration so that entries drop off eventually.
Another example was an active list I produced which had the manufacturer MAC OUI database loaded. Any time a machine was plugged in which was not from a vendor we indicated was "acceptable", an alert would fire.
I'm a total n00b. I've installed and played with Splunk, but not done much else. Is there an equivalent in functionality for Splunk?
Thanks,
↧