Has anyone used a SIEM for forensic analysis? I'd like to start leveraging our SIEM product to be used for reviewing log data and review. It also has the capability to correlate log data to alert on incidents.
Any thoughts/advice would be greatly appreciated.
I work in an environment where a SIEM is used as part of forensic analysis on a regular basis, depending on the needs of the case, of course.
There are an endless number of ways SIEMs can be configured and used. Obviously the nature of the data your SIEM collects will dictate how useful it is to your forensic investigations.
For example, if you configure your SIEM to collect authentication events, both failures and successes and you're investigating potential access violations, being able to pull those authentication events from the SIEM for the time in question is going to be beneficial. Depending on your environment and configuration, you may be able to correlate these authentication attempts with card key swipes, MAC addresses and closed circuit tv recordings to nail down exactly who was sitting at what system making the authentication attempts.
The uses are pretty endless. SIEMs are an amazing tool, they do require quite a bit of upfront work and ongoing maintenance, but in my experience, it's well worth the effort for big enterprises.
If you have more specific questions, let me know.