Friday, August 06, 2010

Updated With Community Feedback SANS Top 7 Essential Log Reports DRAFT2

Thanks for overwhelming community response (here, here, here, and separate blog posts here and here and I might have missed a few places too). The list has grown and is on the verge of becoming unwieldy and not “top” and “essential” so I am about to close the comment period, write up the doc and send it to SANS to update the legacy SANS Top 5 Log Reports [PDF].

Any last second thoughts before I document this baby? Any smokin’ hot log reports to add?!  Also, anything I should take OFF the list for not being “top” and “essential”?


1. Authentication and Authorization Reports

a. All login failures and successes by user, system, business unit – must have login success logs, not just failure!

b. Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accounts

c. All logins after office hours / “off” hours

d. Users failing to authentication by count of unique systems they tried

e. VPN authentication and other remote access logins (success, failure)

f. Privileged account access: logins, su use, Run As use, etc (success, failure)

g. Multiple login failures followed by success by same account – needs to have correlation for that

2. Change Reports

a. Additions/changes/deletions to users, groups – even a trend on user additions across systems would be useful

b. Additions of accounts to administrator / privileged groups

c. Password changes and resets – by users and by admins to users

d. Additions/changes/deletions to network services

e. Changes to system files – binaries, configurations – likely needs a list to run

g. Changes in file access permissions

h. Application installs and updates (success, failure) by system, application, user


3. Network Activity Reports

a. Log volume trend over days – watch for both drops and increases in logging levels on systems

b. All outbound connections from internal and DMZ systems by system, connection count, user, bandwidth, count of unique destinations, hour of access (focus on “off hours”)

c. Top largest file transfers (inbound, outbound) OR Top largest sessions by bytes transferred

d. Web file uploads to external sites - based on proxy logs

e. All file downloads by content type (exe, dll, scr, upx, etc) and protocol (HTTP, IM, etc)

f. Internal systems using many different protocols/ports

g. Top internal systems as sources of multiple types of NIDS, NIPS or WAF Alerts

h. VPN network activity by user name, total session bytes, count of sessions, usage of internal resources

i. P2P use by internal systems

j. Wireless network activity

i. Rogue AP detection

ii. Wireless network access by user

iii. WIDS/WIPS alert activity

4. Resource Access Reports

a. General

i. Access to resources on critical systems after office hours / “off” hours

b. Web

i. Top internal users blocked by proxy from accessing prohibited sites (malware sources, pornography, etc)

c. File

i. File, network share or resource access (success, failure) - for specific audited resources

d. Database

i. Top database users - excluding known application access

ii. Summary of query types - excluding known application queries

iii. All privileged user access

iv. All users executing INSERT, DELETE commands - excluding known application queries

v. All users executing CREATE, GRANT, schema changes, etc

vi. Database backups

e. Email

i. Top internal email addresses by count of messages, byte volume

ii. Top internal email addresses sending attachments to public/hosted addresses

iii. All emailed attachment content types, sizes

iv. All internal systems sending mail – excluding known mail servers

5. Malware Activity Reports

a. All systems with AV events by user, system name, time trend

b. Detect-only events from anti-virus tools (leave-alones)

c. All anti-virus protection failures (crashes, unloads, update failures, etc)

d. Internal connections to known malware IP addresses – a public blacklist needed

6. Failures and Critical Errors

a. Critical errors by system, application, business unit

b. System and application crashes, shutdowns, restarts

c. Backup failures

d. Capacity / limit exhaustion - memory, disk, CPU, etc

7. Analytic Reports – Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis = also add “rarely seen” / OSO / “bottom X by …”

a. NEW (NBS) Log message types / event types

b. NEW (NBS) Users authenticating successfully

c. NEW (NBS) Sources that connected to systems using privileged accounts

d. NEW (NBS) Internal system connecting to external systems

e. NEW (NBS) External IPs connecting to NEW Entry Points – not sure how to collect this

f. NEW (NBS) Ports accessed on internal systems

g. NEW (NBS) HTTP request types

h. NEW (NBS) Downloaded/uploaded content types

i. NEW (NBS) Query types on databases


More last-second comments? If not, I will be adding documentation for all report examples and submitting it to SANS for distribution.

Also, if you commented, please let me know if you do NOT want your name in the credits. Default:  you will be mentioned as valuable contributor as long as your contribution was, you know, valuable :-)

Possibly related posts:

Enhanced by Zemanta

Dr Anton Chuvakin