Home page logo

pauldotcom logo PaulDotCom mailing list archives

SOC common/best practise?
From: k41zen Me <k41zen () me com>
Date: Wed, 21 Jul 2010 21:41:58 +0100

Our SOC understandably take in feeds from AV, IDS and Firewalls to their log correlation engine.

Apparently when an alert is fed in to this correlation engine, the SOC analysts have to log in to the 
management consoles of the AV solution, the IDS solutions and the Firewall solutions to be able to:

        1) Validate the alert sent to their log correlation engine
        2) Obtain further information about the alert to attach to a service call for investigation

This seems odd to me but I'm not a SOC analyst and wanted to throw this out there to the people that
would know.

So my questions are:

        1) Does this sound like common practise and/or best practise? 
        2) Does it sound like little faith in the correlation engine or agents deployed to report into it?
        3) Not enough information about the alert being sent to the correlation engine?
        4) All of the above?    
        5) None of the above?

Grateful for any insight.


Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]