SIEM rules advice

I am working on a team that is trying to use elastic as a SOC. We have all of the prebuilt SIEM rules within elastic, and someone enabled 80 of them at some point. Now we are going back through them to decide if we have "the best" set of rules enabled for our environment. We started by going through criticality, and enabling based on that but we are a little oversaturated. We are also noticing that some of the rules seem to achieve the same or similar things.

I am wondering if there is any SUGGESTED plan to follow when enabling these. I know it is difficult as elastic probably doesn't want to incur any liability when it comes to suggesting which rules to enable. That being said I don't know if anyone on here has had any success following a certain protocol when enabling the rules.

It has also become clear to us that running more than 100 rules seems to be an issue as we start seeing resource related issues once we get over that number. So, we are trying to identify the best protocol for enabling the right rules.

I realize this is super open-ended which is an issue, but any thoughts are really appreciated.

I used lot of different SIEM and "Alert" solutions in general, prebuilt rules are good. But my opinion on best practice is to create a excel list, that is your requirements.
And try to complete this requirements with prebuilt rules, so this way you can find which rule is fits your requirements which is not
if you need a base list, there are lot of example rule requirements in internet

For example,
Requirement 1 - any admin, root, administrator account logon failed
Requirement 2 - linux shadow file changed
Requirement 3 - Someone logged in using local network, but this person is on vacation
etc...

Imho, if you have issues running 100 Siem rules, then you should have a good look at your stack and find whats your bottleneck. Im running 800 Siem rules without a problem..

That is the suggested number we got from elastic. Though we did see an increase in performance when we added two more Kibana servers and reduced the number of rules in the environment. 800 rules seems intense. We don’t have enough people to maintain the upkeep of 800 rules.

Thanks for the suggestion. We are using the mitre matrix as a framework and enabling rules based on our environment. Your suggestion got the ball rolling.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.