Automating Security Event Log capture-Best Practices/etc-Thoughts?

  • 8 February 2023
  • 7 replies
  • 49 views
lesleyheizman
Badge +1

Hey Drata community! 

I’m curious and thought I would pose this question here, as part of our ISO 27001 program we keep a security event log and then when something upgrades to an incident we create the corrective action report for the incident etc. We had started doing some automation around this, for example we monitor most of the programs/services we use in a slack channel and we also get feeds from different sources for possible events we should look into. We’ve started doing some work around automating those into tickets in our service desk, but curious what processes others are using or if you’ve found any great ways to automate part of this in your organizations? A lot of our feeds contain quite a bit of noise such as downtime maintenance etc. 

I’m interested in comparing notes in how we can improve this or automate even further :) Hit me up if you have any tips! 

 

7 replies

D
Userlevel 4
Badge +1

Hi @lesleyheizman. This is a great conversation starter! Going to see if we can get someone from our security team (and maybe our compliance team) to chime in. I’m certainly no expert but I think one great tool for automating these tickets would be using our new Jira integration enhancements to easily create tickets within Drata for issues/vulnerabilities identified from our continuous monitoring.

Troy_Fine
Userlevel 1
Badge +2

@lesleyheizman I agree with Helina on utilizing Drata to automatically create JIRA tickets to track vulnerabilities in terms of controls not operating as intended.

Are you currently using any type of SIEM tool centralize log events from different sources? If you implement a SIEM tool, there are probably integrations with ticketing systems where you can fine tune alerts so only certain alerts open tickets and certain personnel can get notified when certain events take place.

 

 

 

D
Userlevel 4
Badge +1

Thanks for chiming in, @Troy_Fine 🙏🏽

lesleyheizman
Badge +1

Yes! thanks Helina and Troy, sorry for my delay this week! :) WE are utilizing a SIEM and we have some other sources we are tracking as well, slack channels for certain services go down and a feed from Tenable for vulnerabilities. I think we need to do some refinement to get them into all one location and filter down the noise like I said! i did get a really good tip i wanted to share from talking with someone in support, about putting together a playbook of how your team would respond to/investigate certain types of errors/events etc. which is a great idea!

Overall I’m always looking for ways to simplify life when it comes to the ISO 27001 framework so if anyone has tips/tricks on things that you are automating with regard to that framework i’m all ears! Always room for improvement. :) 

Happy Friday!

 

Troy_Fine
Userlevel 1
Badge +2

Glad the team was was able to provide you with good insight in the in app chat. The key is fine tuning the alerts and really focusing on true alerts that need to be investigated and then centralizing the ones that need investigation (maybe in JIRA and tracking them there). For instance, if you know that a ticket needs to be open every time that Slack channel has a message because a service is down, then I would try to automatically have a ticket opened and assigned to the appropriate team for investigation.

lesleyheizman
Badge +1

Great advice Troy thanks as always. Just caught you on the Bright webinar although I had to jump early! 

Troy_Fine
Userlevel 1
Badge +2

Glad you were able to attend. I hope it was helpful!

Reply


Terms & ConditionsCookie settings