UC Santa Cruz Best Practices

Actionable SIEM Alerts in Elasticsearch

Brian Hall and Troy Wright, Senior Security Analysts with UC Santa Cruz and Matteo Rebeschini, Solution Architect from Elastic, deliver a discussion on how and why UC Santa Cruz is improving their security using the Elastic Stack to achieve actionable SIEM alerts. This session includes an update on Elastic Machine Learning including a live demo.

UC Santa Cruz infrastructure Highlights:

  • What types of alerts are easy wins?
  • What log data is needed?
  • What queries and visualizations are needed?
  • How did we validate using queries/viz/data?
  • Sharing lessons learned on their journey using Elasticsearch

UC Santa Cruz was originally using FortiSIEM and was running into a number of different challenges. They realized by using Elastic, they would be able to monitor every security event log. They key decision for moving to the Elastic Stack was the alerting capability. It was important to get alerts for events such as:

  • Detecting concurrent logins from separate geo locations
  • Using Bro and to be alerted so they could block the IP so they can’t talk to the campus network
  • Automated systems monitoring of the data for threat signatures and behaviors
  • Protection from DDOS Attacks
Register to Watch

Brian Hall and Troy Wright, Senior Security Analysts with UC Santa Cruz and Matteo Rebeschini, Solution Architect from Elastic, deliver a discussion on how and why UC Santa Cruz is improving their security using the Elastic Stack to achieve actionable SIEM alerts. This session includes an update on Elastic Machine Learning including a live demo.

UC Santa Cruz infrastructure Highlights:

  • What types of alerts are easy wins?
  • What log data is needed?
  • What queries and visualizations are needed?
  • How did we validate using queries/viz/data?
  • Sharing lessons learned on their journey using Elasticsearch

UC Santa Cruz was originally using FortiSIEM and was running into a number of different challenges. They realized by using Elastic, they would be able to monitor every security event log. They key decision for moving to the Elastic Stack was the alerting capability. It was important to get alerts for events such as:

  • Detecting concurrent logins from separate geo locations
  • Using Bro and to be alerted so they could block the IP so they can’t talk to the campus network
  • Automated systems monitoring of the data for threat signatures and behaviors
  • Protection from DDOS Attacks