mailing list archives
SOC common/best practise?
From: k41zen Me <k41zen () me com>
Date: Wed, 21 Jul 2010 21:41:58 +0100
Our SOC understandably take in feeds from AV, IDS and Firewalls to their log correlation engine.
Apparently when an alert is fed in to this correlation engine, the SOC analysts have to log in to the
management consoles of the AV solution, the IDS solutions and the Firewall solutions to be able to:
1) Validate the alert sent to their log correlation engine
2) Obtain further information about the alert to attach to a service call for investigation
This seems odd to me but I'm not a SOC analyst and wanted to throw this out there to the people that
So my questions are:
1) Does this sound like common practise and/or best practise?
2) Does it sound like little faith in the correlation engine or agents deployed to report into it?
3) Not enough information about the alert being sent to the correlation engine?
4) All of the above?
5) None of the above?
Grateful for any insight.
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com
- SOC common/best practise? k41zen Me (Jul 21)