Couldn't agree more. I think it's important to draw a distinction between visibility and value when evaluating a log source. There's no point in ingesting logs if there are no use cases for real-time monitoring.
Plus, there are also tools nowadays that can allow you to stream logs into your SIEM for a given time frame in the case of an investigation.
Ingesting logs in to any SIEM without a use case is not cost effective - with platforms like Splunk, there are costs associated with data ingestion.
Read the docs about the logs You are looking to ingest.
You will find some are rubbish and offer no security value or enrichment.
Couldn't agree more. I think it's important to draw a distinction between visibility and value when evaluating a log source. There's no point in ingesting logs if there are no use cases for real-time monitoring.
Plus, there are also tools nowadays that can allow you to stream logs into your SIEM for a given time frame in the case of an investigation.
Value >>>
Thanks for this article! 😇
Glad you enjoyed, Su!