www.connectwise.com
Open in
urlscan Pro
2606:4700:4400::ac40:9a78
Public Scan
URL:
https://www.connectwise.com/blog/cybersecurity/9-ways-to-eliminate-siem-false-positives
Submission: On June 04 via manual from US — Scanned from DE
Submission: On June 04 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="mktoForm mktoHasWidth mktoLayoutLeft" data-form-id="1301" data-poi="" data-page-source="" data-campaign-code="" data-gclid="" data-zoom-info="" __bizdiag="645404088" __biza="WJ__" id="mktoForm_1301" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoFieldWrap mktoRequiredField"><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true"
style="width: 150px;" placeholder="Business Email Address"></div>
</div>
</div>
<div class="mktoFormRow mktoFormRowHidden">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 10px;">
<div class="mktoFieldWrap mktoRequiredField"><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;">
<option value="">Country</option>
<option value="AF">Afghanistan</option>
<option value="AL">Albania</option>
<option value="DZ">Algeria</option>
<option value="AX">Aland Islands</option>
<option value="AS">American Samoa</option>
<option value="AI">Anguilla</option>
<option value="AD">Andorra</option>
<option value="AO">Angola</option>
<option value="AN">Antilles - Netherlands</option>
<option value="AG">Antigua and Barbuda</option>
<option value="AQ">Antarctica</option>
<option value="AR">Argentina</option>
<option value="AM">Armenia</option>
<option value="AU">Australia</option>
<option value="AT">Austria</option>
<option value="AW">Aruba</option>
<option value="AZ">Azerbaijan</option>
<option value="BA">Bosnia and Herzegovina</option>
<option value="BB">Barbados</option>
<option value="BD">Bangladesh</option>
<option value="BE">Belgium</option>
<option value="BF">Burkina Faso</option>
<option value="BG">Bulgaria</option>
<option value="BH">Bahrain</option>
<option value="BI">Burundi</option>
<option value="BJ">Benin</option>
<option value="BM">Bermuda</option>
<option value="BN">Brunei Darussalam</option>
<option value="BO">Bolivia</option>
<option value="BR">Brazil</option>
<option value="BS">Bahamas</option>
<option value="BT">Bhutan</option>
<option value="BV">Bouvet Island</option>
<option value="BW">Botswana</option>
<option value="BV">Belarus</option>
<option value="BZ">Belize</option>
<option value="KH">Cambodia</option>
<option value="CM">Cameroon</option>
<option value="CA">Canada</option>
<option value="CV">Cape Verde</option>
<option value="CF">Central African Republic</option>
<option value="TD">Chad</option>
<option value="CL">Chile</option>
<option value="CN">China</option>
<option value="CX">Christmas Island</option>
<option value="CC">Cocos Islands</option>
<option value="CO">Colombia</option>
<option value="CG">Congo</option>
<option value="CI">Ivory Coast</option>
<option value="CK">Cook Islands</option>
<option value="CR">Costa Rica</option>
<option value="HR">Croatia</option>
<option value="CY">Cyprus</option>
<option value="CZ">Czech Republic</option>
<option value="CD">Democratic Republic of the Congo</option>
<option value="DJ">Djibouti</option>
<option value="DK">Denmark</option>
<option value="DM">Dominica</option>
<option value="DO">Dominican Republic</option>
<option value="EC">Ecuador</option>
<option value="EG">Egypt</option>
<option value="SV">El Salvador</option>
<option value="TP">East Timor</option>
<option value="EE">Estonia</option>
<option value="GQ">Equatorial Guinea</option>
<option value="ER">Eritrea</option>
<option value="ET">Ethiopia</option>
<option value="FI">Finland</option>
<option value="FJ">Fiji</option>
<option value="FK">Falkland Islands</option>
<option value="FM">Federated States of Micronesia</option>
<option value="FO">Faroe Islands</option>
<option value="FR">France</option>
<option value="GF">French Guiana</option>
<option value="PF">French Polynesia</option>
<option value="GA">Gabon</option>
<option value="GM">Gambia</option>
<option value="DE">Germany</option>
<option value="GH">Ghana</option>
<option value="GI">Gibraltar</option>
<option value="GB">Great Britain</option>
<option value="GD">Grenada</option>
<option value="GE">Georgia</option>
<option value="GR">Greece</option>
<option value="GL">Greenland</option>
<option value="GN">Guinea</option>
<option value="GP">Guadeloupe</option>
<option value="GS">S. Georgia and S. Sandwich Islands</option>
<option value="GT">Guatemala</option>
<option value="GU">Guam</option>
<option value="GW">Guinea-Bissau</option>
<option value="GY">Guyana</option>
<option value="HK">Hong Kong</option>
<option value="HM">Heard Island and McDonald Islands</option>
<option value="HN">Honduras</option>
<option value="HT">Haiti</option>
<option value="HU">Hungary</option>
<option value="ID">Indonesia</option>
<option value="IE">Ireland</option>
<option value="IL">Israel</option>
<option value="IN">India</option>
<option value="IO">British Indian Ocean Territory</option>
<option value="IQ">Iraq</option>
<option value="IT">Italy</option>
<option value="JM">Jamaica</option>
<option value="JO">Jordan</option>
<option value="JP">Japan</option>
<option value="KE">Kenya</option>
<option value="KG">Kyrgyzstan</option>
<option value="KI">Kiribati</option>
<option value="KM">Comoros</option>
<option value="KN">Saint Kitts and Nevis</option>
<option value="KR">Korea South</option>
<option value="KW">Kuwait</option>
<option value="KY">Cayman Islands</option>
<option value="KZ">Kazakhstan</option>
<option value="LA">Laos</option>
<option value="LB">Lebanon</option>
<option value="LC">Saint Lucia</option>
<option value="LI">Liechtenstein</option>
<option value="LK">Sri Lanka</option>
<option value="LR">Liberia</option>
<option value="LS">Lesotho</option>
<option value="LT">Lithuania</option>
<option value="LU">Luxembourg</option>
<option value="LV">Latvia</option>
<option value="LY">Libya</option>
<option value="MK">Macedonia</option>
<option value="MO">Macao</option>
<option value="MG">Madagascar</option>
<option value="MY">Malaysia</option>
<option value="ML">Mali</option>
<option value="MW">Malawi</option>
<option value="MR">Mauritania</option>
<option value="MH">Marshall Islands</option>
<option value="MQ">Martinique</option>
<option value="MU">Mauritius</option>
<option value="YT">Mayotte</option>
<option value="MT">Malta</option>
<option value="MX">Mexico</option>
<option value="MA">Morocco</option>
<option value="MC">Monaco</option>
<option value="MD">Moldova</option>
<option value="MN">Mongolia</option>
<option value="MM">Myanmar</option>
<option value="MP">Northern Mariana Islands</option>
<option value="MS">Montserrat</option>
<option value="MV">Maldives</option>
<option value="MZ">Mozambique</option>
<option value="NA">Namibia</option>
<option value="NC">New Caledonia</option>
<option value="NE">Niger</option>
<option value="NF">Norfolk Island</option>
<option value="NG">Nigeria</option>
<option value="NI">Nicaragua</option>
<option value="NL">Netherlands</option>
<option value="NO">Norway</option>
<option value="NP">Nepal</option>
<option value="NR">Nauru</option>
<option value="NU">Niue</option>
<option value="NZ">New Zealand</option>
<option value="OM">Oman</option>
<option value="PA">Panama</option>
<option value="PE">Peru</option>
<option value="PG">Papua New Guinea</option>
<option value="PH">Philippines</option>
<option value="PK">Pakistan</option>
<option value="PL">Poland</option>
<option value="PM">Saint Pierre and Miquelon</option>
<option value="CS">Serbia and Montenegro</option>
<option value="PN">Pitcairn</option>
<option value="PR">Puerto Rico</option>
<option value="PS">Palestinian Territory</option>
<option value="PT">Portugal</option>
<option value="PW">Palau</option>
<option value="PY">Paraguay</option>
<option value="QA">Qatar</option>
<option value="RE">Reunion</option>
<option value="RO">Romania</option>
<option value="RU">Russian Federation</option>
<option value="RW">Rwanda</option>
<option value="SA">Saudi Arabia</option>
<option value="WS">Samoa</option>
<option value="SH">Saint Helena</option>
<option value="VC">Saint Vincent and the Grenadines</option>
<option value="SM">San Marino</option>
<option value="ST">Sao Tome and Principe</option>
<option value="SN">Senegal</option>
<option value="SC">Seychelles</option>
<option value="SL">Sierra Leone</option>
<option value="SG">Singapore</option>
<option value="SK">Slovakia</option>
<option value="SI">Slovenia</option>
<option value="SB">Solomon Islands</option>
<option value="SO">Somalia</option>
<option value="ZA">South Africa</option>
<option value="ES">Spain</option>
<option value="SD">Sudan</option>
<option value="SR">Suriname</option>
<option value="SJ">Svalbard and Jan Mayen</option>
<option value="SE">Sweden</option>
<option value="CH">Switzerland</option>
<option value="SZ">Swaziland</option>
<option value="TW">Taiwan</option>
<option value="TZ">Tanzania</option>
<option value="TJ">Tajikistan</option>
<option value="TH">Thailand</option>
<option value="TL">Timor-Leste</option>
<option value="TG">Togo</option>
<option value="TK">Tokelau</option>
<option value="TO">Tonga</option>
<option value="TT">Trinidad and Tobago</option>
<option value="TN">Tunisia</option>
<option value="TR">Turkey</option>
<option value="TM">Turkmenistan</option>
<option value="TC">Turks and Caicos Islands</option>
<option value="TV">Tuvalu</option>
<option value="UA">Ukraine</option>
<option value="UG">Uganda</option>
<option value="AE">United Arab Emirates</option>
<option value="UK">United Kingdom</option>
<option value="US">United States</option>
<option value="UM">United States Minor Outlying Islands</option>
<option value="UY">Uruguay</option>
<option value="UZ">Uzbekistan</option>
<option value="VU">Vanuatu</option>
<option value="VA">Vatican City State</option>
<option value="VE">Venezuela</option>
<option value="VG">Virgin Islands</option>
<option value="VI">Virgin Islands</option>
<option value="VN">Viet Nam</option>
<option value="WF">Wallis and Futuna</option>
<option value="EH">Western Sahara</option>
<option value="YE">Yemen</option>
<option value="ZM">Zambia</option>
<option value="ZW">Zimbabwe</option>
</select></div>
</div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoSimple" style="margin-left: 120px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1301"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="417-HWY-826">
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="Jigsaw" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="mKTOProductInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="pageSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="campaignCodeMostRecent" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="utmcontent" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="utmmedium" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="utmsource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="referringURL" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="CWS_GCLID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
<div class="mktoFormRow mktoFormRowHidden"><input type="hidden" name="ga_cid__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 10px;"></div>
</form><form class="mktoForm mktoHasWidth mktoLayoutLeft" data-form-id="1301" data-poi="" data-page-source="" data-campaign-code="" data-gclid="" data-zoom-info="" __bizdiag="645404088" __biza="WJ__" novalidate="novalidate"
style="font-family: Helvetica, Arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
___ Trust Center Contact Us Sign In Close Search Modal Close Search Bar Search * Products & Services * Community & Resources * Why ConnectWise * Support Close Search Modal Close Search Bar Search Try For Free PRODUCTS & SERVICES * Business Management Integrated front and back office solutions * Unified Monitoring and Management Manage customer endpoints and data * Cybersecurity and Data Protection Protect your clients’ critical business assets * Asio—The MSP Platform The purpose-built platform for MSPs Explore Solution Marketplace Third-party integrations to enhance our products BUSINESS MANAGEMENT INTEGRATED FRONT AND BACK OFFICE SOLUTIONS Explore Business Management PSA Professional services automation designed to run your as-a-service business CPQ Advanced quote and proposal automation to streamline your quoting BrightGauge KPI dashboards and reporting for real-time business insights ITBoost Centralized, intuitive IT documentation Service Leadership Increase shareholder value and profitability SmileBack Customer service feedback for MSPs Business Management Packages Optimize your business operations through curated packages designed to streamline, standardize, and automate your business processes Explore Business Management PSA Professional services automation designed to run your as-a-service business CPQ Advanced quote and proposal automation to streamline your quoting BrightGauge KPI dashboards and reporting for real-time business insights ITBoost Centralized, intuitive IT documentation Service Leadership Increase shareholder value and profitability SmileBack Customer service feedback for MSPs Business Management Packages Optimize your business operations through curated packages designed to streamline, standardize, and automate your business processes Explore Business Management See our latest product innovations that enhance your ConnectWise experience. View roadmap>> UNIFIED MONITORING AND MANAGEMENT MANAGE CUSTOMER ENDPOINTS AND DATA Explore Unified Monitoring and Management RMM Monitor and manage your client's networks the way you want - hands on, automated or both with our NOC services Automate Powerful RMM for next-level IT support ScreenConnect™ Remotely access and support any device, anywhere, any time Explore Unified Monitoring and Management RMM Monitor and manage your client's networks the way you want - hands on, automated or both with our NOC services Automate Powerful RMM for next-level IT support ScreenConnect™ Remotely access and support any device, anywhere, any time Explore Unified Monitoring and Management See our latest product innovations that enhance your ConnectWise experience. View roadmap>> CYBERSECURITY AND DATA PROTECTION PROTECT YOUR CLIENTS’ CRITICAL BUSINESS ASSETS Explore Cybersecurity MDR Monitor & stop malicious activity on endpoints SIEM Centralize threat visibility and analysis Risk and Vulnerability Management Identify cybersecurity risks and routinely scan for vulnerabilities Access Management Eliminate shared admin passwords and protect customers SASE Apply zero trust secure access for users, locations, and devices Explore Cybersecurity MDR Monitor & stop malicious activity on endpoints SIEM Centralize threat visibility and analysis Risk and Vulnerability Management Identify cybersecurity risks and routinely scan for vulnerabilities Access Management Eliminate shared admin passwords and protect customers SASE Apply zero trust secure access for users, locations, and devices Explore Data Protection SaaS Backup Safeguard customer cloud app data Co-Managed Backup Streamline third-party backup management Incident Response Services Quickly access cybersecurity experts for critical security incidents Explore Data Protection SaaS Backup Safeguard customer cloud app data Co-Managed Backup Streamline third-party backup management Incident Response Services Quickly access cybersecurity experts for critical security incidents Explore Cybersecurity and Data Protection See our latest product innovations that enhance your ConnectWise experience. View roadmap>> ASIO—THE MSP PLATFORM THE PURPOSE-BUILT PLATFORM FOR MSPS Explore Platform Asio The purpose-built platform for MSPs Explore Platform Asio The purpose-built platform for MSPs Hyperautomation Solutions RPA Eliminate manual steps with easy to use workflows Sidekick Generative AI for team productivity Hyperautomation Solutions RPA Eliminate manual steps with easy to use workflows Sidekick Generative AI for team productivity See our latest product innovations that enhance your ConnectWise experience. View roadmap>> COMMUNITY & RESOURCES * Community Peer groups, user groups, industry connections * Events Global industry conferences and experiences * Resources Business-driving insights and guidance COMMUNITY PEER GROUPS, USER GROUPS, INDUSTRY CONNECTIONS Join the ConnectWise Community The IT Nation Groundbreaking MSP community IT Nation Evolve Coaching & peer groups IT Nation Share ConnectWise product training Virtual Community Partner peer connections The Invent Program Third-party integration certification Join the ConnectWise Community The IT Nation Groundbreaking MSP community IT Nation Evolve Coaching & peer groups IT Nation Share ConnectWise product training Virtual Community Partner peer connections The Invent Program Third-party integration certification Explore The IT Nation See our latest product innovations that enhance your ConnectWise experience. View roadmap>> EVENTS GLOBAL INDUSTRY CONFERENCES AND EXPERIENCES Events IT Nation Connect Premier MSP industry conference IT Nation Secure MSP cybersecruity industry conference Automation Nation AI & hyperautomation training IT Nation Sydney Regional MSP industry conference IT Nation London Regional MSP industry conference IT Nation Share (User Groups) ConnectWise product training Events IT Nation Connect Premier MSP industry conference IT Nation Secure MSP cybersecruity industry conference Automation Nation AI & hyperautomation training IT Nation Sydney Regional MSP industry conference IT Nation London Regional MSP industry conference IT Nation Share (User Groups) ConnectWise product training Explore all events See our latest product innovations that enhance your ConnectWise experience. View roadmap>> RESOURCES BUSINESS-DRIVING INSIGHTS AND GUIDANCE Explore Resources Webinars Blog eBooks Case studies Industry reports Feature sheets On demand demos Podcasts Product Innovation Webinars ConnectWise product updates Product Roadmap Product innovations and updates Explore Resources Webinars Blog eBooks Case studies Industry reports Feature sheets On demand demos Podcasts Product Innovation Webinars ConnectWise product updates Product Roadmap Product innovations and updates Explore all resources See our latest product innovations that enhance your ConnectWise experience. View roadmap>> WHY CONNECTWISE About Us About ConnectWise Mission & Vision History Careers Leadership Board of Directors Partner Program Growth and scaling resources Philanthropy Partner Referral ConnectWise referral reward program Company Updates Press Room Awards Case studies Asio—The MSP Platform The only truly unified platform purpose-built for MSPs. Learn more >> SUPPORT * Partner Support ConnectWise solution resources * Partner Education Certifications and resources PARTNER SUPPORT CONNECTWISE SOLUTION RESOURCES Get Support ConnectWise Home Solution access and product news Documentation Product info and manuals Virtual Community Partner peer connections Lookup My Account Team Account support and management Get Support ConnectWise Home Solution access and product news Documentation Product info and manuals Virtual Community Partner peer connections Lookup My Account Team Account support and management Partner Support Access your products, see announcements, and find support Log in to ConnectWise Home >> PARTNER EDUCATION CERTIFICATIONS AND RESOURCES Explore Partner Education ConnectWise Certify™ Industry training and certifications University Partner tools, resources, courses Modes Theory™ Business growth framework Explore Partner Education ConnectWise Certify™ Industry training and certifications University Partner tools, resources, courses Modes Theory™ Business growth framework Service Leadership, Inc. Discover total profit solutions for IT companies. Learn more >> 1. Home 2. ConnectWise Blog 3. Cybersecurity 4. 9 ways to eliminate SIEM false positives 9 WAYS TO ELIMINATE SIEM FALSE POSITIVES Posted: 06/14/2023 | By: Kevin Prince How to choose the right SIEM solution Get My Guide If you have a SIEM or are about to implement one, then you're probably struggling with one of the biggest challenges in cybersecurity—false positives. According to Orca Security's 2022 Cloud Security Alert Fatigue Report, cybersecurity teams are inundated with cloud security alerts—59% of respondents receive more than 500 of these alerts per day. And because of the sheer volume of alerts needing to be addressed, 55% of respondents said that very real, critical alerts are being missed, often on a daily or weekly basis. But the problem doesn't come from a lack of people—it comes from false positives. Useless alerts often take the same amount of time to investigate as real ones. The traditional approach—which a lot of MSSPs still use today—is to hire a huge team of people to attempt to review every alert. Given the survey results and recent cybersecurity headlines, how well do you think this works? If you want to catch cybersecurity threats in your environment, you have to focus on eliminating false positives so that the security experts you do have can focus on remediating real problems. As we've seen, this is a process and technology issue. Simply adding more people is not the solution. Cybersecurity threats and attacks need to be dealt with efficiently, so today, we're going to go through our top nine tips for eliminating false positives in your SIEM environment. 1. PROPERLY DEFINE FALSE POSITIVES An accurate alert or notification should be defined as anything that requires immediate action—and that's it. Anything else alerting you is a false positive. Not because it didn't happen but because there is no real action to take. Using this definition rather than just "what is an accurate alert regardless of criticality" will dramatically help you streamline your IT resources as it pertains to alert management. This is one of the hardest concepts for security operations managers to accept. To help, ask yourself (or your /provider) this question for every possible alert: "When the team gets this alert, what action will they take?" If the answer is "uh…" or "none, but….", then that alert would be a false positive. Don't worry—we're not saying you will never see this information. But to help avoid alert fatigue, it should show up on a report your team regularly reviews, not as an alert that opens a ticket. 2. GET RID OF RULES YOU DON'T NEED This sounds obvious, but you would be amazed how many people install a SIEM and leave every default rule turned on. Many rules are designed specifically for a particular network device or IT system. If you don't have that system or device in your network, disable the rule! Leaving it enabled will only create false positives and lead to alert fatigue. While you're at it, make sure the rules that remain active actually detect what you think they do. Many default rules in a SIEM are often mislabeled or have other errors, so check carefully! 3. TUNE THE RULES TO YOUR SPECIFIC ENVIRONMENT THRESHOLDS Rules are really nothing more than, "This thing happened this many times over this period of time…." or a combination of such things. The appropriate "counts" and thresholds in your environment are very different from other environments. These thresholds need to be adjusted exactly between what is "normal" traffic in your environment and what is abnormal traffic. This requires setting up a network baseline by running the system for several weeks and analyzing the traffic to know the appropriate thresholds for each rule. Believe it or not, very few companies take the time to tune their SIEM to their actual environment! The reality is many good IT folks don't know how to do this accurately, and it may require a SIEM expert. 4. CONTEXT IS KING Most SIEMs don't have this capability, and it's key in eliminating false positives, so I hope you are reading this before you purchase your SIEM. Here's an example to help illustrate this: You get an alert from your SIEM stating it has detected a SQL injection attack against one of your servers. That is serious, right?! Well, it's really only serious if you have SQL on that server. Otherwise, it is just another false positive. A good SIEM has the ability to look at the configuration of your systems to determine if an attack can be successful. Configuration management data included within the SIEM gives you an enormous advantage to eliminate some of the peskiest false positives. Ask your SIEM provider if their solution incorporates change management information and has a change management database (CMDB). This eliminates the worst kind of false positives, the sleep-stealing alerts that wake you up at 3:00am. No one wants that, and you need to understand the context of the network systems to eliminate these false positives. By the way, if your SIEM doesn't have detailed configuration and asset information for critical context, you may want to view a live demo to see how ConnectWise SIEM™ can work for you, and contact us for a new SIEM! 5. ADJUST THE CRITICALITY TO YOUR ENVIRONMENT Remember we said that only events that require action now should be alerts and that low-level alerts and most medium-level events don't need immediate action—therefore, they should not be alerts? These should get rolled up into a report that is delivered to the right person at an appropriate frequency, perhaps weekly. With that in mind, many SIEM vendors set their default criticality to a level that's way too high for most environments. Something that is critical in someone else's environment may only be medium level in yours. Do not trust the default criticality setting. You must review this in the context of "What will we do when this alert is sent,". 6. USE A THREAT FEED AND GEOLOCATION DATA Most SIEM technologies allow you to blend outside data into the system to get higher accuracy. A threat feed can be used to increase the accuracy of events through cross-correlation and context. For example, if an IP range in a threat feed is from a known hacker cell, it can increase the criticality of that event to high. Geolocation data can also be used to increase or decrease criticality based on the source or destination of your network traffic. With this, your SIEM can automatically detect the difference between inter-office traffic, remote traffic, and foreign traffic. A word of caution on threat feeds—A low-quality threat feed (usually free ones) can actually increase your false positives tremendously! If you're going to use a threat feed, use a high-quality one that updates regularly, is constantly cleaned of stale information, and is specific in its threat data rather than generically blocking huge network segments, such as the ConnectWise CRU threat feed. 7. TRUST YOUR SECURITY DEVICES Most organizations have cybersecurity devices such as a firewall or an intrusion prevention system that block malicious traffic. Many people configure their SIEM to alert them for an event that was already stopped. If your firewall is blocking that attacker, why would you want a ticket on that? Report this somewhere, sure, but don't open a ticket only to make someone close it later. Remember, if it doesn't require action right now, you shouldn't be getting an alert. 8. IGNORE LOW LEVEL ALERTS Most low level alerts can be turned off entirely. But if there are low level alerts that you do want to track, do that with a report periodically. I'm sure you're getting tired of hearing this by now, but if it doesn't require action, you shouldn't be getting an alert. 9. TUNING IS NOT A ONE-TIME EVENT Anyone who thinks that they can set up their SIEM and it will remain highly tuned is sorely mistaken. Security information and event management systems, by their very nature, require a lot of ongoing care and feeding—daily. Adjustments will need to be made when network devices are added, removed, or updated. Tuning will be needed when firmware updates occur or software is upgraded. Even if nothing changes in your environment, the threat landscape changes, which requires changes to your SIEM, not to mention your SIEM should be getting updates with new rules and rule updates that need to be applied and maintained. A properly tuned SIEM will be your greatest cybersecurity asset. A neglected SIEM or a SIEM maintained by untrained staff will be a nightmare, a huge waste of money, and raise your risk exposures. Most importantly, when you get a false positive, use it as a feedback loop to adjust the SIEM so that the same false positive doesn't show up again. If you just clear the alert and don't make a change, it will happen again and again and again. Get in the habit of adjusting the SIEM right away so you save scores of hours in the future. IT'S WORTH IT TO WORK WITH A SIEM EXPERT While this may sound easy to do, SIEMs are very complicated. I mean, would you trust a guy to do surgery on you that had only learned from an online video? No! When you run the math, it's far less expensive to outsource management and tuning your SIEM to an expert than to do it yourself—If you get the right partner. The good news is that this is what ConnectWise does best! Depending upon the SIEM technology you're using, we can manage and tune your SIEM initially and ongoing to ensure you practically eliminate all your false positives. Haven't selected a SIEM yet? Download this eBook for tips on what to look for in a SIEM and how to add it as a service. We have some amazing options for you, including our SIEM hosted by us or an on-premise managed SIEM that you host at your data center or in your cloud environment. Using ConnectWise for your SIEM needs means getting the most out of your SIEM investment and getting the best possible cybersecurity and compliance available at a fraction of the cost of doing it yourself. RELATED BLOG POSTS << Back to All Blog Posts 10/02/2023 2 min read EDR vs. SIEM: How they differ and why you need both By: Jay Ryerse EDR and SIEM software shouldn’t be an “either or” scenario. Learn why you need both of these powerful tools to help your clients. Read the blog Cybersecurity 10/11/2021 3 min read Cybersecurity SOC, SIEM & SecOps: How they work together By: Wayne R. Selk, CDPSE There can be a lot of noise in cybersecurity, but aligning the right tools with the right teams helps cut through the clutter. Ensuring that your cybersecurity SOC and SecOps teams have full visibility within the SIEM solution is the first step. Read the blog Cybersecurity RECOMMENDED How to Build an MSSP inside your MSP | ConnectWise Here's a step-by-step look at how to build an MSSP offering inside your MSP (managed service provider). Learn more >> Why ConnectWise is the top MSP choice for cybersecurity solutions Dive into ConnectWise Cybersecurity Management! Discover how solutions from ConnectWise can help you protect against, detect, and respond to potential cyberthreats facing your business and clients. Learn more >> Ready to talk? Contact Us Chat Now 800.671.6898 Partner Support Solutions * Asio™ platform * Cybersecurity and Data Protection * Unified Monitoring and Management * Business Management * Solution Marketplace For Partners * ConnectWise University™ Login * ConnectWise Home Login * ConnectWise Virtual Community™ * Getting Help * Documentation * Partner Services * Partner Communications * Partner Referral Resources * Resource Center * Blog * Events * Webinars * Podcasts * The IT Nation * Online Community Company * Mission & Vision * History * Awards * Press Room * Careers * Distributors * Contact Us * Careers Stay up to date CountryAfghanistanAlbaniaAlgeriaAland IslandsAmerican SamoaAnguillaAndorraAngolaAntilles - NetherlandsAntigua and BarbudaAntarcticaArgentinaArmeniaAustraliaAustriaArubaAzerbaijanBosnia and HerzegovinaBarbadosBangladeshBelgiumBurkina FasoBulgariaBahrainBurundiBeninBermudaBrunei DarussalamBoliviaBrazilBahamasBhutanBouvet IslandBotswanaBelarusBelizeCambodiaCameroonCanadaCape VerdeCentral African RepublicChadChileChinaChristmas IslandCocos IslandsColombiaCongoIvory CoastCook IslandsCosta RicaCroatiaCyprusCzech RepublicDemocratic Republic of the CongoDjiboutiDenmarkDominicaDominican RepublicEcuadorEgyptEl SalvadorEast TimorEstoniaEquatorial GuineaEritreaEthiopiaFinlandFijiFalkland IslandsFederated States of MicronesiaFaroe IslandsFranceFrench GuianaFrench PolynesiaGabonGambiaGermanyGhanaGibraltarGreat BritainGrenadaGeorgiaGreeceGreenlandGuineaGuadeloupeS. Georgia and S. Sandwich IslandsGuatemalaGuamGuinea-BissauGuyanaHong KongHeard Island and McDonald IslandsHondurasHaitiHungaryIndonesiaIrelandIsraelIndiaBritish Indian Ocean TerritoryIraqItalyJamaicaJordanJapanKenyaKyrgyzstanKiribatiComorosSaint Kitts and NevisKorea SouthKuwaitCayman IslandsKazakhstanLaosLebanonSaint LuciaLiechtensteinSri LankaLiberiaLesothoLithuaniaLuxembourgLatviaLibyaMacedoniaMacaoMadagascarMalaysiaMaliMalawiMauritaniaMarshall IslandsMartiniqueMauritiusMayotteMaltaMexicoMoroccoMonacoMoldovaMongoliaMyanmarNorthern Mariana IslandsMontserratMaldivesMozambiqueNamibiaNew CaledoniaNigerNorfolk IslandNigeriaNicaraguaNetherlandsNorwayNepalNauruNiueNew ZealandOmanPanamaPeruPapua New GuineaPhilippinesPakistanPolandSaint Pierre and MiquelonSerbia and MontenegroPitcairnPuerto RicoPalestinian TerritoryPortugalPalauParaguayQatarReunionRomaniaRussian FederationRwandaSaudi ArabiaSamoaSaint HelenaSaint Vincent and the GrenadinesSan MarinoSao Tome and PrincipeSenegalSeychellesSierra LeoneSingaporeSlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSpainSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSwazilandTaiwanTanzaniaTajikistanThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUkraineUgandaUnited Arab EmiratesUnited KingdomUnited StatesUnited States Minor Outlying IslandsUruguayUzbekistanVanuatuVatican City StateVenezuelaVirgin IslandsVirgin IslandsViet NamWallis and FutunaWestern SaharaYemenZambiaZimbabwe Submit ©2024 ConnectWise, LLC. All rights reserved. Terms Privacy Policy Trust We use cookies to enhance site navigation, analyze site usage and assist in our marketing efforts. You can accept, reject or customize your preferences by clicking the cookie settings button. Our privacy policy provides more information and explains how to amend your cookie settingsPrivacy Policy Reject All Cookies Accept All Cookies Customize Choices PRIVACY PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * TARGETING COOKIES * FUNCTIONAL COOKIES YOUR PRIVACY When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. View Vendor Details PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. View Vendor Details TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. View Vendor Details FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. View Vendor Details Back Button VENDORS LIST Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Reject All Allow All