I currently have my firewall(s) set to send all of their logs to LEM which includes log data for pretty much all network traffic. I am curious if anybody has any good suggestions or pointers on rules that can be configured to help identify potential security concerns?
I am am looking for more broad rules and less environment specific rules that might be used. In security forums I have read lots of articles that say what great security insight you can get and how you can detect potential problems when using a SIEM such as LEM in conjunction with your firewall logs; however, they never actually suggest best practices on how one might achieve this.
I look forward to hearing thoughts on this, thanks in advance for sharing!
