I am running a PoC and facing this challenge.

Sentinel is receiving logs from various network devices(routers, core
switches, firewalls etc) and we can very easily track when a network
admin performs any configuration changes(create or modify acl, shutdown
a port etc) or install a patch via queries(reports etc) and correlation
However we are unable to understand what other insights we can get from
the events/logs of network devices. Any one here please share what else
we should look for ? Any correlation rule ? what could be the "Events of
Interest" we should search ? Any possibility to search for events that
could help us that its from a virus/trojan or someone is using "remote
support software" ?


sharfuddin's Profile: https://forums.netiq.com/member.php?userid=1016
View this thread: https://forums.netiq.com/showthread.php?t=56616