One of the universal hurdles that organizations face when it comes to cybersecurity is visibility within their own environment. Pair that with often non-technical restrictions on how and what teams can ingest from endpoints, routers, servers, and any other network devices and it is evident that gaps will exist. This doesn’t just affect the security posture of an organization, but it also hinders cybersecurity analysts as well. If you don’t have the appropriate logs to detect and respond to threats, security analysis is going to suffer.
In this series I share my experience on logs that I have used in my past lives as a SOC analyst and threat hunter. Half the battle is knowing what information the logs contain and why they are relevant to the investigation. The other half is creating a business use-case to get these logs ingested into your tools. While this series will not be the magic bullet and get you the logs you want, it will at least tell you how to use them in hunts and what they are telling you.