So I tweeted a SOC PSA about great places to start detection. I gave a few ideas and got back many responses about things to include. The discussion focused on Level 1, but I started adding more and categorized things. The levels are my own opinion and will likely change over time as I add more depth and breadth to this list.
Here is the list:
Level 1
- Knowledge of a SIEM – pivoting through different data sources/points
- Knowledge of an IDS/IPS/WAF alert and how to research it
- Full DNS logs
- Firewall Logs from both OS & network firewalls
- Block SMB internally and alert on events
- Block HTTP from non-proxy
- Bro/Netflow alerts
- Admin Auth logs
- Proxy Logs – @lmeyerov – assuming you have proxies required
- Anti-Virus Logs – @hhf – Great indicators
- Email Logs – @chadalt – excellent data source for watching for phishing.
- HTTP Headers
Level 2
- Web Server Logs
- Bro/Netflow Logs
- Database Logs – Auth + Query
- Application Logs
- Powershell
- Hashes of Binaries transmitted
- DHCP Logs – @stielervaneeden
- Host Logs – @hhf – Great indicators, but the log to value trade-off for host auth logs is lower than other logs mentioned here.
- Process Execution Parent-Child Relationships – @MrBenChung
- Application Whitelisting Logs (if App Whitelisting is deployed) – @MrBenChung
- False Positive Root Cause Analysis
- Identifying new data sources of value
Level 3
- SSL Certificate Metadata – @vivekrj
- Full PCAP – @MrBenChung
- Script Logging
- Wifi Connection Logs – @MrBenChung
- NAC Logs (if you have NAC deployed)