Hello everyone!
I'm looking for assistance with fine-tuning Enterprise Security.
I've been working hard with configuring ES to start generating notable events.
We're getting lots of events! Almost 73k Access Notables, 66 Endpoint Notables, 2.4k Network Notables, 0 Identity Notables, 11 Audit Notables, and 3.8k Threat Notables.
What does a typical fine-tuning entail? Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria? What else could I be missing?
Yes. In Short -
# 1 - Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria which you mentioned
# 2 Under "Content Management" , review the prebuilt searches that come with ES by default. In our environment, we disabled all the default ones because those generate lot of noise. Perform a detailed review which ones you want to keep and disable the rest.
#3 Under each Correlation searche, you can chose what "Adaptive Response" to trigger - such as generate a Notable, send an email etc. Check which ones don't need a notable to be triggered.
# 4 Customize the Throttle settings under those searches which are generating lot of repetitive alerts, also adjust the schedule of correlation searches if possible to run less frequently ( depending on the use case).
Yes. In Short -
# 1 - Finding out what is a false-positive and modifying the correlation searches to ignore certain criteria which you mentioned
# 2 Under "Content Management" , review the prebuilt searches that come with ES by default. In our environment, we disabled all the default ones because those generate lot of noise. Perform a detailed review which ones you want to keep and disable the rest.
#3 Under each Correlation searche, you can chose what "Adaptive Response" to trigger - such as generate a Notable, send an email etc. Check which ones don't need a notable to be triggered.
# 4 Customize the Throttle settings under those searches which are generating lot of repetitive alerts, also adjust the schedule of correlation searches if possible to run less frequently ( depending on the use case).
Thank you! That was exactly what I was looking for.