Cybersecurity agencies have released comprehensive technical guidance designed to help security practitioners optimize their Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platforms.
The new publication provides detailed recommendations on priority logs that should be ingested by SIEM platforms, offering practitioners a strategic approach to building effective security monitoring capabilities.
The guidance establishes a structured approach to log collection and analysis, emphasizing that logging decisions should be based on an organization’s specific environment and risk profile.
The document presents prioritized logging recommendations across 14 major categories, including Endpoint Detection and Response (EDR) logs, network device logs, Microsoft Domain Controller events, and cloud platform logging.
According to the guidance, EDR logs receive top priority due to their comprehensive coverage of endpoint activities.
These logs encompass AmCache registry files, antivirus detections, network connections, Dynamic-Link Libraries, scheduled tasks, and file events.
The framework also prioritizes network device logs, particularly firewall ingress and egress data flows, authentication events, and configuration modifications.
The authoring agencies strongly discourage organizations from attempting to ingest all available logs simultaneously, instead recommending a gradual approach to building SIEM capabilities.
This methodology allows security teams to develop expertise with each data source while avoiding overwhelming their analytical capabilities with excessive log volumes.
Cyber Security Practitioners
The technical guidance addresses the complexity of modern enterprise environments by providing specific recommendations for various platforms and technologies.
For Microsoft environments, the document details critical Active Directory and Domain Controller events, including account logon validation, Kerberos authentication services, and security group management.
Cloud platform logging receives significant attention, with dedicated sections covering Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
The guidance emphasizes that cloud services often require specific configuration to enable security logging, noting that “cloud services may not be enabled by default” and that “every application may have its own logging format, or no logging at all”.
The document also addresses emerging technologies including containerized environments, operational technology systems, and mobile device management platforms.
For container logs, the guidance covers user authentication, service logs, API audit logs, and management access logs.
Operational technology integration is acknowledged as particularly challenging due to the specialized nature of OT systems and their typical segmentation from traditional IT environments.
Implementation Guidance
According to the Report, the publication forms part of a three-document series providing comprehensive SIEM/SOAR implementation guidance.
The series includes executive guidance for decision-makers, practitioner guidance for technical implementation, and this priority logs document for operational teams.
The agencies emphasize that organizations should model their threats and risks before selecting data sources, assessing each source’s purpose, prioritization level, log volume, and analytical value.
The guidance warns against “logging for the sake of logging” and recommends that organizations evaluate the potential performance impacts and maintenance costs associated with each data source.
For architecture planning, the document recommends a two-stage logging process involving log creation and collection to a centralization point, followed by selective ingestion into the SIEM platform.
The agencies strongly discourage using SIEM platforms as central repositories for all organizational logs, instead advocating for focused security log centralization based on risk profiles.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
