SANs – Critical Log Review Checklist for Security Incidents

SANs – Critical Log Review Checklist for Security Incidents and Use Case Log sources


A SIEM is like your our Organization’s Central Nervous System; it is a very complex tool, there are two key aspects of any siem tool to deliver visibility into your cyber security health in realtime.

1) Log sources – the Data from log sources plays a vital part to give you the visibility of your whole IT real-estate in a single pane of glass.

2) Use cases or correlation – these are the rules to identify, IoC, TTP and ATPs, etc. correlating them to various threat intelligence.

And all too often, events that do make it to the SIEM don’t result in a notable or correlated event because of faulty configurations as well as problems around alerting, parsing, time stamping, routing etc., meaning that the likelihood of a human seeing and responding to the event is very low. Therefore, it is vital, Test Use cases via a Red Team and Attack scenario based on specific exploits. use case test of all of your data sources.


3) Attack Simulation based on Use cases, Red Teaming, Purple Teaming and Automated Pentesting using tools like; (DNA – Database, Network, Applications) – Periodic
  • Architecture risk analysis (ARA). About half of the software defects that create security problems are flaws in design. ARA identifies those flaws and determines the level of risks to business information assets.
  •  Static application security testing (SAST). This helps teams find and fix security and quality weaknesses in proprietary code as it is being developed.
  •  Dynamic application security testing (DAST). This tool tests applications while they are running, simulating an attack by a hacker.
  •  Interactive application security testing (IAST). This also tests running applications, but unlike DAST, it uses code instrumentation to observe application behavior and dataflow. It’s useful for CI/CD (continuous integration/continuous delivery) development environments, where the priorities are speed and automation.
  •  Software composition analysis (SCA). Almost every application in existence today is built, at least in part, on open source software components. SCA finds those components, along with any associated security vulnerabilities that have been reported against them.
  •  Pen testing. This is best done at the end of development, and is considered an extension of DAST. The goal is to find vulnerabilities in web applications and services and then try to exploit them so developers can fix them before a product hits the market.
CSO table: Open-source ATT&CK test tools


Customer recently asked me what are the main log sources for Threat Detection; Here is a good example and list;

Attack Surface;

  • Policy
  • Network
  • Servers
  • Workstations
  • Users
  • Credentials
  • Documents
  • Storage
  • Configuration
  • Cloud
    • Change Monitoring (RedLock)
    • Control Pane
    • Data Pane
    • Virtual Machines
    • Services
    • Applications
    • Storage

Rank potential event sources in order of recommended priority.

  •  DMZ
    • External Facing web websites
    • WAF
  • North-South Traffic (All external links) (Egress / Ingress)
    • Firewalls, Routers, SDNs, WANs and Switches
  • Firewalls
    • Layer 7 monitoring
  • DNS Servers
  • DHCP
  • Authentication
    • RADIUS
    • VPN
    • Identity/Directory Services
      • User Directory
      • Active Diretory
      • Azure AD
    • SSO
    • PAM
    • CASB
    • IAM
    • Key management
  • Operation Systems
  • Mail-ware defence
    • Web Gateway/Proxy
    • Email Gateway/Proxy
    • Anti-Virus
    • Anti-phishing, Social Media, Web
  • East-West Traffic
    • Routers
    • Switch CAM tables
    • Wireless
  • Device Register
    • Asset Register / Risk Profile assessment
    • CMDB
    • ITSM
    • Application Register
  • Endpoint Security
    • AntiVirus/Anti mailware/Phishing detection
    • EDR
    • MDM
    • MAC
  • Vulnerability Scanner
    • Continous Monitoring
    • OpenSCAP
  • Log/SIEM
  • FIM
  • NAC
  • DLP
  • Physical
  • Fraud Detection
  • Certificate Management
  • SaaS
  • Psychical Access/Security
  • Physical servers/DCs
  • Storage
  • Insider
  • Shadow IT monitoring
    • EDR/Layer 7 Traffic/SaaS usage/SaaS Storage/Change Detection
      • Slack can expose information simply by someone inviting external into company channel due to slack misconfiguration.
      • Grammarly – Key logger , registers all key strokes and was hacked recently.
      •  (passwordless) Elasticsearch or similar NoSql databases is huge
      • Continous Scanning of Databases landscape
  • Traffic Anomaly Based Detection
    • Application mapping
      • e.g. ScienceLogic
      • e.g. AppDynamics
    • Network Protocol Analysis
    • Network Traffic Mapping
      • e.g ExtraHop
  • Security Configuration Management, Change detection, Configuration and central management consoles
    • e.g. Solar Windows Configuration Manager, AlgoSec, Tuffin, TripWire
  • Continuous Monitoring of external facing assets/resources/IP/External facing IP subnet scans
    • Can you IT team expose any internal resources external, via Cloud, SaaS, On-prem. There is no technology that can do this, it requires team to create their own tools and continuous scans depending on environment, you can have a 100% secure monitored environment and a SYSADMIn could create a new exposures that is not even monitored, this is one of the major ways data exposures has occurred in recent history. E.g. Exposure of data on S3, backups saved on external facing website, pentest scans, change detection is required.
  • ephemeral resource detection
    • Assetnote
  • Vendor Risk
    • BitSight
  • OSINT – Opensource Information gathering data
  • Dark Web Monitoring
  • Honey pots
  • DDOS
  • Threat Streams (Governments, etc.)

Reference information;




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s