SOC: Maturity Levels

So I tweeted a SOC PSA about great places to start detection. I gave a few ideas and got back many responses about things to include. The discussion focused on Level 1, but I started adding more and categorized things. The levels are my own opinion and will likely change over time as I add more depth and breadth to this list.

Here is the list:

Level 1

  • full DNS logs
  • Firewall Logs from both OS network firewalls
    • Block SMB internally and alert on events
    • Block HTTP from non-proxy
  • Bro logs/Netflow
  • Admin Auth logs
  • Proxy Logs – @lmeyerov – assuming you have proxies required
  • Anti-Virus Logs – @hhf – Great indicators
  • Email Logs – @chadalt – excellent data source for watching for phishing.
  • IDS/WAF Logs
  • HTTP Headers

Level 2

  • Web Server Logs
  • Database Logs – Auth + Query
  • Application Logs
  • Powershell
  • Hashes of Binaries transmitted
  • DHCP Logs – @stielervaneeden
  • Host Logs – @hhf – Great indicators, but the log to value trade-off for host auth logs is lower than other logs mentioned here.
  • Process Execution Parent-Child Relationships – @MrBenChung
  • Application Whitelisting Logs (if App Whitelisting is deployed) – @MrBenChung

Level 3

  • SSL Certificate Metadata – @vivekrj
  • Full PCAP – @MrBenChung
  • Script Logging
  • Wifi Connection Logs – @MrBenChung
  • NAC Logs (if you have NAC deployed)

Leave a Reply

Your email address will not be published. Required fields are marked *