Talked to a SOC analyst who made me question our whole SIEM setup

Last week I was on a call with a guy from a mid-sized MSP in Phoenix. He said they ditched their expensive SIEM and just use a custom script that parses Windows Event IDs 4624 and 4625. Told me they catch 90% of their breaches that way. It stuck with me because we spend $40k a year on a platform that floods us with alerts nobody reads. Has anyone else tried scaling back to something simpler and seen better results?

2 comments

2 Comments

jade471d ago

@anthony_lane55 you just made me realize my custom Event ID script is basically a screen door on a submarine. Guess I'll go back to drowning in false positives until I figure out what sneaky login tricks to look for.

anthony_lane551d ago

And here's the thing nobody is talking about with those Event ID scripts. They work great until someone gets clever with how they log in. I've seen attackers use things like service accounts or scheduled tasks that don't even trigger those event IDs. You could be sitting there feeling good about your 90 percent catch rate while someone is quietly moving through your network using valid credentials that your script completely ignores. That SOC analyst might be catching the noise but missing the signal if they don't have something watching for lateral movement or unusual logon patterns. The real question isn't about the tool you use. It's about whether you actually understand how people break into your specific environment. A cheap script that looks at two event IDs is only as good as your knowledge of what attackers are doing in your industry right now.