4.3 Data Sources to Support Investigation

SIEM Dashboards

Security Information and Event Management (SIEM) = logging of security events and information - real-time security alerts - log aggregation, data correlation, forensics analysis - sensors and logs - viewing trends and identifying changes over time

Log Files

Network log files - network changes, authentication issues, network security issues, routing updates

System log files - OS information, file system information, monitor apps, brute force, file changes

Application log file - application specific logs, event viewers, /var/log

Security log file - blocked/allowed traffic flows, exploit attempts, blocked URL categories, DNS sinkhole traffic

Firewall logs - traffic flows allowed or blocked, server access deny

Web log file - web server access, IP address/web page URL, access errors

DNS log file - view lookup requests, identify queries to known bad URLs

Authentication log files - know who logged in, identify failure logins

Dump files - store all contents of memory into a diagnostic file

VoIP and call manager logs - view inbound and outbound call information, endpoint details

Log Management

syslog - protocol that computer systems use to send event data logs to a central location for storage - each log entry is labeled

journalctl - Linux logs for OS, daemons, applications - logs are stored in binary format - can only be seen with "journalctl" command

NetFlow - gather traffic statistics from all traffic flows - shared communication between devices

IPFIX - IP flow information export

sFlow - sampled flow