Wednesday, July 14, 2010

NEW PROPOSED Top 7 Essential Log Reports

Top Log Report Candidate 1. Authentication and Authorization Reports
a. Login Failures and Successes
b. Attempts to gain unauthorized access through existing accounts
c. Privileged account access (success, failure)
d. VPN Authentication and other remote access (success, failure)
e. Please add more reports you find useful!

Top Log Report Candidate 2. Change Reports
a. Addition/Changes/Deletions to Users, Groups and Services
b. Change to configurations
c. Application installs and Updates
d. Please add more reports you find useful!

Top Log Report Candidate 3. Network Activity Reports [used to be called “Suspicious or Unauthorized Network Traffic Patterns” in the old Top 5 list]
a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
b. Network Services Transiting A Firewall
c. Top Largest File Transfers Through the Firewall
d. Internal Systems Using Many Different Protocols/Ports
e. Top Internal Systems With NIDS Alerts
f. Proxy Report on File Uploads
g. Please add more reports you find useful!

Top Log Report Candidate 4. Resource Access Reports
a. File
i. Failed File or Resource Access Attempts
b. Database
i. Top Database Users
ii. Summary of Query Types
iii. SELECT Data Volume
iv. All Users Executing INSERT/DELETE Commands
v. Database Backups
c. Email
i. Top Internal Email Addresses by Volume of Messages
ii. Top Attachment Types with Sizes
iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server
c. Please add more reports you find useful!

Top Log Report Candidate 5. Malware Activity Reports
a. Top systems with anti-malware events
b. Detect-only events from anti-malware tools (“leave-alones”)
c. Anti-virus protection failures by type
d. Internal malware connections (all sources)
e. Please add more reports you find useful!

Top Log Report Candidate 6. “Various FAIL”
a. Critical Errors
b. Backup failures
c. Capacity / Limit Exhaustion
d. System and Application Starts, Shutdowns and Restarts
e. Please add more reports you find useful!

Top Log Report Candidate 7. Analytic Reports  [Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis]
a. NEW (NBS) IDS/IPS Alert Types
b. NEW (NBS) Log Entry Types
c. NEW (NBS) Users Authentication Success
d. NEW (NBS) Internal Systems Connecting Through Firewall
e. NEW (NBS) Ports Accessed
f. NEW (NBS) HTTP Request Types
g. NEW (NBS) Query Types on Database
h. Please add more NBS or other analytic reports you find useful!

So, please help this project by commenting via whatever means!!!
BTW, I think I perused all the previous effor5ts to distill log reports (such as this one), but feel free to point me to such things as well.
Finally, if you are a SIEM or log management vendor, please consider supporting the resulting reports in your products – after they are finalized by the community and released by SANS.

No comments:

Post a Comment