Event Logging Interruption Alert Analysis and Action
Category: Analytics and SIEM, Case/Ticket Management
Cyware Products Used:
Orchestrate
Third-Party Integrations Used:
Elastic Search SIEM: To retrieve event logging interruption alerts.
JIRA: To create and assign tickets to the IT team.
Problem Statement
Event log files contain important information about the usage and operations of operating systems, applications, and devices in your organization. Security teams or automated security systems like SIEMs can access this data to manage security and performance, and troubleshoot IT issues. Hence, it is important for IT teams to record events that occur within an IT environment to ensure that the events are tracked and stored to implement a comprehensive security log management framework. Because logs come from multiple endpoints and different sources and formats, IT systems must continuously monitor any interruption that occurs in the event logging process.
Solution
Any interruption in the event logging process should be automatically notified to the IT teams to investigate and rectify at the earliest. The solution automatically retrieves event logging interruption alerts from the security information and event management (SIEM) and creates tickets for IT teams to investigate and rectify the interruption.
How do we solve this problem?
The solution uses the SIEM: Event Logging Interruption Alert playbook to automatically retrieve alerts from the SIEM solution and create IT support tickets.
Retrieve Alerts from SIEM: The playbook starts by retrieving the latest event logging interruption alerts from the Elastic Search SIEM console.
Create JIRA Ticket: The playbook creates a JIRA ticket with the details retrieved from the SIEM alert and assigns it to the IT team. If an associate JIRA ticket already exists, then the details are updated to the existing ticket.
Update the Elastic Search Alert: The playbook updates the status of the elastic search alert to Closed by adding the _Created JIRA Ticket _note and the RespondJIRA ticket ID. This helps users to know that the alert is already forwarded to for analyst investigation and action.
Optional Configuration
Analysts can also configure messenger and email tools such as Slack to receive channel notifications about event logging interruption alerts.
Benefits
Respond Quickly and Accurately
The solution automatically collates all the relevant information in one place for easier and faster access and helps users prioritize the incidents, thereby assisting security teams in assessing and responding faster to similar incidents.