Top 7 Essential Log Reports

Top Log Report Candidate

You like this . Then go directly to the source page :
http://chuvakin.blogspot.com/2010/07/sans-top-5-essential-log-reports-update.html

1. 1. Authentication and Authorization Reports

  • a. Login Failures and Successes
  • b. Attempts to gain unauthorized access through existing accounts
  • c. Privileged account access (success, failure)
  • d. VPN Authentication and other remote access (success, failure)

2. 2. Change Reports

  • a. Addition/Changes/Deletions to Users, Groups and Services
  • b. Change to configurations
  • c. Application installs and Updates
  • d. Please add more reports you find useful!

3. 3. Network Activity Reports

  • a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
  • b. Network Services Transiting A Firewall
  • c. Top Largest File Transfers Through the Firewall
  • d. Internal Systems Using Many Different Protocols/Ports
  • e. Top Internal Systems With NIDS Alerts
  • f. Proxy Report on File Uploads

4. 4. Resource Access Reports

  • a. File
    • i. Failed File or Resource Access Attempts
  • b. Database
    • i. Top Database Users
    • ii. Summary of Query Types
    • iii. SELECT Data Volume
    • iv. All Users Executing INSERT/DELETE Commands
    • v. Database Backups
  • c. Email
    • i. Top Internal Email Addresses by Volume of Messages
    • ii. Top Attachment Types with Sizes
    • iii. Top Internal Systems Sending Spam // Top Internal Systems Sending
  • Email NOT Through Mail Server

5. Malware Activity Reports

  • a. Top systems with anti-malware events
  • b. Detect-only events from anti-malware tools (“leave-alones”)
  • c. Anti-virus protection failures by type
  • d. Internal malware connections (all sources)

5. 6. “Various FAIL”

  • a. Critical Errors
  • b. Backup failures
  • c. Capacity / Limit Exhaustion
  • d. System and Application Starts, Shutdowns and Restarts

6. 7. Analytic Reports

Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis

  • a. NEW (NBS) IDS/IPS Alert Types
  • b. NEW (NBS) Log Entry Types
  • c. NEW (NBS) Users Authentication Success
  • d. NEW (NBS) Internal Systems Connecting Through Firewall
  • e. NEW (NBS) Ports Accessed
  • f. NEW (NBS) HTTP Request Types
  • g. NEW (NBS) Query Types on Database

You can also complete this with : http://www.metanet.cc/blog/entry/siem-report-recommendations.html

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*