Good day everyone!
So recently we have begun to ingest EPM log into MS Sentinel, and I have noticed a difference in the data we see in the console Analytics vs Sentinel. Firstly the integration was simple and straight forward. Once configured we began to see information flow into Sentinel. This is not a problem and seems to be working well, we used the CIM format.
What we are seeing is good, but it is nowhere near the information we see in the console analytics.
Example I will use is logons. We can see logons in both the analytics and Sentinel, however there is information missing in the information we see in Sentinel, namely privilege. So in the analytics I can see and search on the client privilege, and status of the account (domain, local), but in Sentinel I am not.
I just wanted to start a conversation with others who are using a SIEM with EPM or plan too int he near future. We could compare experiences and possibly see what in store for the future from Beyond Trust.
Thanks, and have a great day!
Scott
I have EPM being ingested by Sentinel, however we used ECS rather than CIM and I haven’t noticed a lacking of any information yet… infact when I last did an export with all columns from Sentinel I had to do a lot of column trimming because there was excessive information… if you have a query you are using I can take a look at my instance and see if I’m lacking anything. we had it sent to Sentinel so that our SOC team could setup alerting for any potential rogue elevations.
Hey @Scottie per the other comment I would 100% recommend moving to ECS format. When we created AV2 we also spent a lot of time getting the events updated - if you move to ECS you’ll get all the the same data you see in analytics.
Thanks very much for the information! Appreciate the responses.
So, we are going to change the format today from CIM to ECS, as I never change anything before a long weekend so we will see how that goes. In the console guild there is a cryptic message regarding ECS:
“If you previously configured SIEM settings and selected the ECS format, then there are two ECS format menu items: ECS - Elastic Common Schema and ECS - Elastic Common Schema (Deprecated). To update to the new ECS schema, select ECS - Elastic Common Schema, and then click Validate Settings”
Odd they would use the same name yet one is deprecated. This is why the CIM format was chosen.
We exported the complete sentinel log columns for EPM (displayed and all columns both), and will do it again 24-48hs after and see if anything has changed. WE also seem to ingest about 40MB of data a day on avg so one week after be interesting if we see any noticeable change in either.
If we do, the question is then “why isn't that documented?”. But will report back to this thread when we have some time with the change.
Thanks Scottie I’ll flag that with our docs team, sounds like it could do with a review!
