Adding new data sources to SIEMs is a decision that comes with alternative costs. Each new set of logs adds complexity, takes disk space, puts extra load on the correlation engine, and consumes “events per second” license pool. On the other hand, missing logs may result in some malicious events not being detected. Well-scoped and balanced logging should be sought all the time.
Many organizations do not ingest endpoint logs in SIEMs due to the concerns mentioned above. Some settle with collecting server logs only. On the other hand, detecting today’s sophisticated attacks with network or server logs alone is not possible. Adding sysmon, PowerShell, security, or system event logs to SIEMs significantly enhances the chance of detecting malicious events early on in the cyber kill chain.
Endpoint logs can be generated from a variety of categories such as application logs, systems logs, security logs, DNS logs, PowerShell logs. The detail in these log categories is extensive and not all are needed to generate meaningful detection rules. Picus Detection Analytics helps achieve a precise endpoint log configuration so that SIEM resources are consumed only as much as required.
Easy to deploy, intelligence driven and feature-rich Picus Security Control Validation Platform makes sure that SOC teams maintain a well scoped and threat-aware log base that always covers changes in adversarial landscape and technology infrastructure.