So I tweeted a SOC PSA about great places to start detection. I gave a few ideas and got back many responses about things to include. The discussion focused on Level 1, but I started adding more and categorized things. The levels are my own opinion and will likely change over time as I add more depth and breadth to this list.
Here is the list:
- full DNS logs
- Firewall Logs from both OS network firewalls
- Block SMB internally and alert on events
- Block HTTP from non-proxy
- Bro logs/Netflow
- Admin Auth logs
- Proxy Logs – @lmeyerov – assuming you have proxies required
- Anti-Virus Logs – @hhf – Great indicators
- Email Logs – @chadalt – excellent data source for watching for phishing.
- IDS/WAF Logs
- HTTP Headers
- Web Server Logs
- Database Logs – Auth + Query
- Application Logs
- Hashes of Binaries transmitted
- DHCP Logs – @stielervaneeden
- Host Logs – @hhf – Great indicators, but the log to value trade-off for host auth logs is lower than other logs mentioned here.
- Process Execution Parent-Child Relationships – @MrBenChung
- Application Whitelisting Logs (if App Whitelisting is deployed) – @MrBenChung