Insider Threat Content Assistance
Does anybody have some rules or content they can share for insider threat?
Is there any reference documentation that would help me to build some correlation rules for Insider Threat that I could reference?
I am trying to keep Arcsight here in this network without SPLUNK taking over. I need to find some good content that can prove what Arcsight can do and that it can do it better then SPLUNK.
Please share some knowledge in this effort.
Any help would be greatly appreciated! Thanks.