Thursday – January 23, 2020 – Downtown

SIEM Workshops with RedLegg is a regional event series for cybersecurity professionals looking to build & expand their security strategies in order to grow and better protect their businesses.

Join RedLegg’s Security Research and Deployment Architects for discussions around both Operational and Threat-based topics about preparing, deploying, and maximizing your logging environment, utilizing best practices, security frameworks, and additional tools.

Special emphasis will be placed on completeness of logging as well as dialing-in on key information to provide you with high-confidence, actionable, and – in some cases – proactive intelligence.



Topics based around the how and why of the proper deployment, tuning, and maintenance of your security log monitoring platform. Special emphasis is placed on honing-in on critical pieces of infrastructure, reducing overall noise, and following operational best practices.



The afternoon discussions will focus on knowing what you’re protecting, quantifying risk, and managing your ongoing threat and alarming environment. Our experts will review how use cases and threat modeling are critical to creating a proper alarming profile.



Bring your laptops, tools, and be ready to pop the hood. We'll have a secure and strong WiFi connection if you want to refer to your own solutions to better walk through specific use cases and scenarios.



RedLegg's team of expert security architects and LogRhythm support engineers will be onsite leading sessions and performing deep dives. Come ready with the hardest roadblocks you have. See if you can stump the experts.


11:00 am - 11:30 pm - Registration Opens & Lunch

  • Sign in and grab some RedLegg swag! We’ll also have lunch served for you to fuel up and meet some of your neighbors before we get started.

11:30 am - 2:30 pm - Operational Track

  • Network Tools: Security vs Operational - Learn the differences between Security and Operational focused tools and the impact that both can have within your environment. Emphasis will be placed on knowing the use cases for each and how a mature practice implements both.
  • Logging for Critical Visibility - Discussion will be focused around what you NEED to log to get the necessary visibility into the critical aspects of your logging environment. This includes potential sensitive information, risk platforms, and potential ingress/egress point.
  • Designing for Growth - Planning the growth of your logging infrastructure is a long term plan, and while you may scope for your current logging environment, future growth and resource planning is critical to get the most out of an expensive SIEM investment.
  • Windows Logging Fundamentals - With Windows logging, there is a lot of information that is collected and forwarded to a logging solution. This talk discusses the key points and values in collecting Windows logs and focusing on the key things to keep in mind so that valuable information does not slip through the cracks of the noise.
  • Noise and Volume: Keeping Visibility and Sanity - One of the most daunting aspects of deployment and managing a logging solution is the prospect of tuning and managing the logging levels of the reporting sources. This discussion will explain best practices used to help end users tune in and calibrate their hosts to get the most confident information.
  • Less CAN Be More: Best Practices - It can be difficult to know where to begin with enabling security rules within any logging solution. Our engineers will review best practices around LogRhythm and explain how a manageable ruleset can be attained (ex. in some cases, a “Less is More” approach with solidly built rules and following an appropriate framework).

2:30 pm - 4:30 pm - Threat-Based Track

  • Quantifying Risk - This topic delves into the concept of mean-time to detect a potential security risk. Our team will explain how we utilize information to identify a potential risk more quickly and how much of a difference a timely response can make.
  • What Are You Protecting? - You have to first know what you have and where it is before you can protect it. This discussion delves into properly identifying and classifying critical assets before designing the proper solutions to protect them.
  • Regulatory Compliance Requirements - It can be overwhelming to understand what all you are responsible for with all the various governance and auditing bodies that exist today. This topic explores building a proper path for practical and repeatable compliance and audit preparation.
  • Use Cases and Alarm Creation - To properly build effective alarms, it is important to understand the use cases they are monitoring for. This discussion explores the various risk use cases and appropriate thresholds for building strong security alarms.
  • Threat Modeling - Knowing how to properly model a potential threat can go a long way to proactively preparing to prevent it. This discussion around how to build and apply threat modeling for proactive security is key for anyone involved in security or operations.
  • The Importance of DNS Logging - One of the more non-obvious logs that can shed illumination on potential risks is DNS logs. This topic dives into how the proper integration of these logs into a logging platform can add value to your overall security posture.
  • Threat Intel Time Sensitivity - With lots of options out there, our team will review the concept of Threat Intelligence and discuss some of the top providers and how they integrate with your security logging platform. Focus will be placed on the age of the data and how important reliable up-to-date intelligence is.

4:30 pm - 4:50 - Closing Remarks

  • We'll wrap up with some final thoughts, but if you want to stick around, we're happy to help answer any questions.

5:00 pm - 7:00 pm - Happy Hour (Optional Fun)

  • Join the RedLegg team to unwind and close the day out!


Stew Williams
Director of Services
JD Bacon
Manager of Threat and Incident Research
Mark Kikta
Security Architect



(it's free!)