Re: List of auditable network security events

N_Bakewell · ‎01-31-2020

Good afternoon,

I am currently developing my company's list of auditable network security events - things that are monitored and caught through logs that warrant an administrator's attention. For example, the creation of a new privileged account, a server restart, excessive volume of file transfer. Some of these happen in real time - for example, the moment a new privileged account is created, the alert happens, and another administrator verifies the validity of the new account. Some happen on a recurring basis - same example, I could say that every quarter we review all of the privileged accounts to ensure they are still accurate.

I spent some time searching the internet and surprisingly didn't find anything overly useful. So I come to you - do any of you know of a good repository of the most common events to monitor, so I can bounce my own list off of it?

JKWiniger · ‎01-31-2020

Have you tried looking for something like top SIEM alerts since it seems like all these things would be SIEM triggers.. just a thought..

John-

Caute_cautim · ‎02-01-2020

@N_Bakewell Here is a link to a Sans GIAC paper, which you may find useful: https://www.giac.org/paper/gcia/7008/logging-monitoring-detect-network-intrusions-compliance-violati...

Look at the check list at the end of the piece.

Regards

Caute_cautim

GJCR5657 · ‎03-10-2020

Thank you Caute_cautim. I had the same question too and did not find a practical answer. I will use the paper as a starting point.