Event Management - Alerts from Darksense
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
We are wondering if we can use event management for this instead of incidents. The current process is listed below and at the bottom you can see which system the log is being sent from.
- Logs are sent from assets (servers, firewalls and SaaS applications) to a Security Incident and Event System (SIEM) which correlates the logs and identifies patterns and anomalies. The SIEM the send alerts to the SOC
- The SIEM is managed/monitored by our 3rd party vendor (SOC), who analyze the output and validate any true positive.
- Suspected true positives are then sent to us via ServiceNow which creates incidents for alerting/validation/remediation
- Telus uses LogRhythm as their SIEM while Arancia uses Darksense as theirs.
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi @Sue-Ann Riman
Yes, this is a good use case for Event Management. Darktrace alerts can come into ServiceNow as events, be correlated and deduplicated, and only create incidents when a true, actionable issue is confirmed.
This fits well when a SIEM/SOC is already validating alerts—Event Management reduces noise, keeps raw alerts out of Incident Management, and ensures incidents are created only when remediation is actually needed.
Chandan
