What Security Data Sources to Collect
Proxy logs = these logs are good for C2 analysis of files, domains, downloads of DLL/EXE files
Anti-virus logs = these logs are good for analysis of malware, vulnerabilities of hosts, laptops, servers, monitor for suspicious file paths
Server Operating System logs = these logs are good for analysis of server activities such as users, runaway services, security logs,
Firewall logs = for network traffic of source/destination IP addresses, ports, protocols
Mail logs = for inbound/outbound mail for malicious links, targeted recipients, unauthorized files outbound, data loss, bad attachments
Custom apps logs = could be analyzed for possible buffer overflow, code injection, SQL injection analyses
File Access System logs = What Personal Identifiable Information (PII) is stored where and who has access to it. The full lifecycle for all (PII) including proof of deletion. (Get rid of all data on Minors if possible) GDPR and other privacy regulations making this more key.
Intrusion Detection / Prevention (IDS/ IPS) System logs = capture logs to alert on signatures firing off, custom signatures, bad network packets,
Database logs = capture these logs for authorized access to critical data tables, authorized logons, open ports, admin accounts
Virtual Private Network(VPN) logs = capture logs to analyze users coming into network for situational awareness, monitored foreign IP subnets, compliance monitoring of browsers/apps of connected hosts
Authentication logs = authentication logs to monitor authorized/unauthorized users, times of day of connection, how often, logons/logoffs, BIOS analysis,
Vulnerability Scan Data = import data about assets, vulnerabilities, patch data, etc
Web Application logs = external facing logs to monitor suspicious SQL keywords, text patterns, REGEX for threats coming in through browser
DNS logs = to correlate IP's going to what domain at a client level
DHCP logs = monitor what systems are being assigned what IP address and how long, how often
Active Directory/Domain Controller logs = monitor user accounts for AD admins, privilege accounts, remote access, multiple admins across the domain, new account creation, event ID's
Domain Logs (with audit turned on) = That can give you good post-Morten info and also information with can work to trigger some automatic responses and alerts.
Badge Access logs = to capture to correlate insider threat, situational awareness, correlate data with authentication logs
Router/Switcher access and change logs = are an excellent audit trail for troubleshooting, tracking, of authorized and unauthorized changes.
Router/Switch data(net-flow) = capture this critical data source for APT monitoring, network monitoring, data exfiltration, flow analysis, this is a very important data source
Packet Capture logs(PCAP) = capture this very critical data source for APT, data exfiltration awareness, packet analysis, deep packet inspection, malware analysis, etc
Network Access Control(NAC) logs = capture this data source for remote host information such as application monitoring, compliance, patch awareness, user sign-on/off of the network, remote access awareness, etc.
VOIP / phone logs = Changes, Access, Packet captures done are also useful.
CCTV/Camera system = access logs and audit trails