I must say I really like this blogspot thing, nifty add-ons for the blog. I found a "polling one" and intend to run a poll each month and post the results and impressions on a summarized post.
This month's poll is about OSSIM improvements: where do you think the most improvement is required?
Thanks for any feedback on this, if you specify "Other" please comment on this post about what you meant.
Recommended: AI-Powered SOC: it's the end of the Alert Fatigue as we know
it?
-
I recommended AI-Powered SOC: it's the end of the Alert Fatigue as we know
it? on TysonRhame.
About me: http://www.chuvakin.org
1 month ago
2 comments:
expand policy filters so you create polices that inspect the data portion of events. Good example is Ossec which generates a lot of false positives. You can't filter them out because policy can only see to the PID level and the information needed to exclude selected events is in the data portion.
policy filters on src port. And I agree with urapain about policy filters for data portion of events.
Post a Comment