We are wondering if we can use event management for this instead of incidents. The current process is listed below and at the bottom you can see which system the log is being sent from.
- Logs are sent from assets (servers, firewalls and SaaS applications) to a Security Incident and Event System (SIEM) which correlates the logs and identifies patterns and anomalies. The SIEM the send alerts to the SOC
- The SIEM is managed/monitored by our 3rd party vendor (SOC), who analyze the output and validate any true positive.
- Suspected true positives are then sent to us via ServiceNow which creates incidents for alerting/validation/remediation
- Telus uses LogRhythm as their SIEM while Arancia uses Darksense as theirs.
