Daily Operations

Topics

• Practical Usage Examples

  • Daily Security Monitoring Workflow

  • Incident Investigation Workflow

  • Compliance Monitoring Workflow

  • Understanding Alert Severity and Risk

  • Integration with Other ELS Components

Practical Usage Examples

Daily Security Monitoring Workflow

Step 1: Start with Overview Dashboard

1. Navigate to SIEM → Overview

2. Check the “Total Alerts” chart for unusual spikes

3. Review “Top 5 Alerts” for immediate priorities

4. Use the slider to filter by severity if needed

Step 2: Investigate High-Priority Areas

1. If you see Windows issues, click Windows dashboard

2. If you see vulnerability spikes, click Vulnerabilities dashboard

3. If you see audit violations, click Audit dashboard

Step 3: Create Alerts for New Threats

1. Go to Alerts → Create Alert Rule

2. Give it a descriptive name

3. Choose appropriate rule type (Frequency for repeated events)

4. Set index pattern for your data

5. Define the rule logic

6. Set alert method (email, etc.)

Incident Investigation Workflow

Step 1: Identify the Incident

1. Review alerts in Alert Status tab

2. Check Overview dashboard for anomalies

3. Use time controls to focus on incident timeframe

Step 2: Gather Context

1. Switch to relevant dashboard (Windows/Linux/Audit)

2. Use filters to focus on affected systems

3. Review related events in the time window

Step 3: Analyze Impact

1. Check Vulnerabilities dashboard for related exposures

2. Review Audit dashboard for user activities

3. Use MITRE dashboard for attack technique mapping

Compliance Monitoring Workflow

Step 1: Select Compliance Framework

1. From main SIEM dashboard, click relevant compliance card

2. PCI DSS for payment processing

3. HIPAA for healthcare data

4. GDPR for EU personal data

5. NIST 800-53 for government standards

Step 2: Review Compliance Status

1. Each compliance dashboard shows current status

2. Review any violations or gaps

3. Export reports for documentation

Step 3: Address Issues

1. Create alerts for compliance violations

2. Set up regular monitoring workflows

3. Document remediation activities

Understanding Alert Severity and Risk

Risk Categories and Scores

• Critical: 100 points - Immediate action required

• Production: 90 points - Production system issues

• VIP HOST: 80 points - High-value target issues

• DB Server: 80 points - Database security issues

• High: 75 points - Significant security concern

• Medium: 50 points - Moderate security issue

• Team A/B: 50 points - Team-specific alerts

• Low: 25 points - Minor security event

Rule Levels Explained

• Levels 1-3: Informational events

• Levels 4-7: Low to medium priority

• Levels 8-11: High priority - investigate promptly

• Levels 12-15: Critical priority - immediate response required

Alert Volume Management

• Use the slider on Overview dashboard to filter noise

• Focus on levels 10+ for daily monitoring

• Review levels 7-9 weekly for trends

• Archive levels 1-6 for compliance only