Florian Roth

With "Windows & Sysmon" you probably mean #eventlog (Win) and #syslog (unixoid), which should be higher than #AV. Also, #DNS is yet regarded more important in #SIEM than #NIDS. Finally, due to prevalence, we consider #firewall and #auditd more important than mail.

Also more enterprises critical assets are UNIX than Windows?

Just because you treasure chamber is the most valuable chamber in your castle doesn't mean that you should place your detection there and not in the chamber that holds your guards' armor and helmets.

Auditbeat for Linux auditd is what Sysmon is for Windows events. You can deploy it to every system and get socket logs and process logs. It even has the connection-id from @corelight_inc so you can easily correlate the host network connection to @Zeekurity and @Suricata_IDS

Hello, would you mind elaborate the reasons AV is the most important for you? For a lot of ppl, it just means quarantine and blocking business, logs tends to be very noisy and with less value compared to sysmon for ex

Anyone know of any good guides to firewall logging. End up logging everything, with multiple sites vpn connected the log is insane vs any other log. My inclination would be internet inbound/outbound and traffic to servers in/out.