This document and associated checklist is intended to be used as a high-level self assessment to determine coverage quality of an operational SIEM environment for a typical organisation.
Most organisations are strategically migrating services not unique to their specific business to shared common service models as below (diagram from CISA Cloud Security Technical Reference Architecture). This typically results in the Identity, Credential and Access Management and Data relevant observables having the greatest value.
The above diagram should be used as a reference to determine which systems/services are relevant for capturing security logs (i.e. if utilising IaaS, the service provider should facilitate the collection of security logs in bulk, while On-Premise infrastructure would require additional resoruces to capture security logs from hypervisors, physical servers, storage and physical security).
Referencing the STIX 2.1 Cyber Observable Objects library, the below observables are intended to represent an organisation detection scope of potential threat indicators. The observables objects are ordered based on feasibility of ingestion of all relevant activities external to an organisation.
- IPv4Address, IPv6Address
- UserAccount, EmailAddress
- DomainName, URL
- EmailMessage (date, subject, from, to most relevant)
- File (SHA256 hash most relevant)
- HTTPRequestExt (Inbound HTTP requests through e.g. Web Application Firewalls)
Futher information of the purpose of STIX 2.1 and the observable objects can be found here.
The below is a high level summary of assets and services from where security logs should typically be collected. Subsequent detection queries will refer to these assets.
- Users - Identity Services (On Premise and SaaS), Application access
- Mailboxes - Email mailboxes and associated inbound/outbound flows
- Endpoints - Devices that users access organisational resources from
- Servers - Hypervisors, Servers, Container Platforms
- Network Firewalls (Firewalls) - Network egress and internal network control points
- Web Application Firewalls (WAFs) - Network ingress control points
The below checklist should be undertaken by the organisations security team to calculate the percentage coverage of assets (e.g. 8 / 10 Endpoints == 80% coverage) for a given log retention window (normally 12 months). This data is heavily used for threat hunting activities.
These are available as out of the box integrations on fully SaaS platforms such as Microsoft Sentinel connected to Microsoft 365 Defender. On-Prem sign-ins depending on the Defender for Identity require sensor deployment on all Domain Controllers (minimum version Windows Server 2012).
- Users - Query a
IPv4Address,IPv6Address,ProtocolorUser-Agent (HTTPRequestExt)across all Network Traffic for HTTPS sign ins. - Users - Query a
IPv4Address,IPv6AddressorProtocolacross all Network Traffic for On-Prem sign ins.- E.g. Defender for Identity.
- Mailboxes - Email events and URL / attachment analysis using mail server Application Logs.
- E.g. Defender for Office 365
- Query a
DomainNameorEmailAddressacross all emails. - Query a
Subject (EmailMessage)across all emails. - Query a
DomainNameorURLacross all links inside emails. - Query a
SHA256 Hash (File)across all attachments inside emails.
These are available as integrations with some deployment requirements on Windows, macOs and Linux endpoints using Microsoft Defender for Endpoint.
- Endpoints - Query a
IPv4Address,IPv6Address,DomainNameorURLacross all outbound Network Traffic. - Endpoints - Query a
SHA256 Hash (File),Name (File)orFileOriginUrl (File)across all Files and Processes.
Agent based network protection is relatively straightforward to ingest from application servers. High volume network traffic should be reviewed prior to ingestion to understand the volume of events and to avoid loading large quantites of low value events (such as Content Delivery Networks / File Sharing / Media Streaming logs).
- Query an
IPv4Address,IPv6AddressorDomainNameacross all inbound/outbound Network Traffic.- Servers - e.g. Defender Network Protection
- Firewalls - e.g. Sentinel 3rd party connectors
- WAFs - Query a
IPv4Address,IPv6Address,URLorUser-Agent (HTTPRequestExt)across all inbound Network Traffic.
Once the above checklist is validated, an organisation should schedule regular security exercises to detect for suspicious behaviour based on indicators collected from threat intelligence soruces and to detect for deviations against known behaviour baselines. A simple example would be to determine a subset of users that are allowed to use legacy authentication protocols (NTLM, LDAP, HTTP Basic Auth), and alerting security analysts whenever a user outside of that list attempts to sign in with a legacy authentication protocol.