Today, defenders in a typical security operation center rely on their SIEM to do forensics on past logs, and to define real-time detections. This assumes that the SIEM was configured ahead of time to collect the subset of logs that are useful. But how does one decide what is useful? Further, some data comes at such high-volume that storing it in raw form is prohibitively expensive. Such data must be prefiltered and summarized before storage for query.
By Jose Morris
Full Abstract & Presentation Materials: https://www.blackhat.com/us-20/briefings/schedule/#experimenting-with-real-time-event-feeds-20409