pdf

SANS - SortingThruNoise.pdf
Sans Sortingthrunoise

Strategies for reducing log noise and prioritizing alerts.

This page contains AI generated content. Errors or omissions may be present. Use human level critical thinking.
  • Q: What is the 'Signal-to-Noise' problem in log management?
    A: The challenge of finding the few meaningful security events amidst millions of benign operational logs.
  • Q: How does 'Baselining' help reduce noise?
    A: By understanding what 'normal' looks like, the SOC can filter out standard traffic and only alert on deviations.
  • Q: What is the operational benefit of 'Centralized Logging' beyond security?
    A: It aids in troubleshooting and operational analytics, making the SIEM valuable to IT operations and increasing their buy-in.
  • Q: How does 'Event Correlation' transform raw logs?
    A: It combines multiple low-fidelity events (e.g., login fail + huge data transfer) into a single high-fidelity alert.
  • Q: What is the role of 'Automation' in handling log volume?
    A: It is the only scalable way to parse and filter the massive influx of data; manual review is mathematically impossible.
  • Q: Why is 'Log Enrichment' (e.g., GeoIP, User Context) essential?
    A: Raw logs often lack context; enrichment adds the 'who, what, where' that allows an analyst to make a quick decision.
  • Q: What is the strategy for handling 'Unknown Events'?
    A: They should be investigated to determine if they are malicious or benign, and then added to the known baseline or alert logic.
  • Q: How does 'Historical Analysis' differ from Real-time Alerting?
    A: Historical analysis looks back at stored logs to find long-term patterns (low and slow attacks) that don't trigger real-time thresholds.
  • Q: What is the 'Compliance' driver mentioned for logging?
    A: Regulations like PCI and SOX often mandate log retention and review, providing the budget justification for the system.
  • Q: How does the document suggest 'Prioritizing' alerts?
    A: By mapping them to business risk and asset criticality, ensuring the most dangerous threats to the most important assets are seen first.

Ask a question

Have a doubt or need clarification?



I’m here to help. Share your question, and I’ll get back to you with the guidance you need regarding the course.

Thank you!

I have received your message and I shall get back to you shortly.