notes blog about

It’s important to identify a breach ASAP. According to some studies the mean time is around 200 days.

Logs are more difficult/costly to store and process.

Each log should contain when, what, and who.

What (logs and metrics) to watch

Privileged user access - to detect unauthorized person pretending to be an admin

Logs from defensive tooling (WAFs, Anti-DDoS, FWs, IDS/IPS, Antivirus, Honeypots)

Services, OSs, middleware

Secret server


How to watch

These steps may be all done by a single product (e.g. SIEM), or by multiple products/services acting together.

Logging and alerting chain:


Unfortunately, there are thousands of different log formats. A few common formats: syslog (atlhough the body/message is free-form), CLF, ELF, CEF, CADF.

Search/correlation examples: search for all login failures during certain time period, all successful logins with a VPN, malware detection followed by a login.

Alerting is where the art lies in log analysis. You need a balance between too many false positives and no alerts at all. You need a feedback loop to know whether to modify (increase threshold) or remove an alert. Consider running periodic tests that will generate alerts.

There are some alerts that you should always follow up; e.g. multiple login failures for privileged users, malware detected. When logs stop flowing is a security issue too!

Automated responses have potential to disrupt your business. Also can be leveraged by attackers - an easy DoS attack using a simple port scanner or a few failed logins.

Rotate different individuals in and out. You need some way to ensure that an alert is acknowledged within a certain amount of time or escalated to someone else to handle.

In many cases, organizations use a hybrid model where some of the lower-level monitoring and alerting is performed by a MSSP (managed security service provider)/SOC, and the more important alerts are escalated to in-house staff.

Sample SIEM alerts:

Source: Practical Cloud Security (2019)