Chapter 8. Queries and Reports

“Truth, like gold, is to be obtained not by its growth, but by washing away from it all that is not gold.”

Leo Tolstoy

If this  book were about gold mining, you’d have your mining plan all laid out at this point. You’d have your tools, a sluice box, a scale, and everything else you need to begin. You’d even have an idea of what to do with the gold once you’ve found it. Even though gold is everywhere, how are you going to separate it from the rest of the dirt? A random shovelful of dirt does contain gold, but obviously digging at random isn’t a very efficient or cost-effective strategy—you need a better plan. Just like finding gold, identifying actionable security events requires good queries to sort through a mountain of data to yield those incident and monitoring nuggets.

This chapter will help to equip you with basic ideas for creating valuable reports and the queries that power them. Keep in mind that the key to success is knowing how to ask the right questions about your log data. Explicitly define the problem you are trying to solve and then use the data to arrive at an answer. Like anything, developing effective queries becomes easier the more you practice and familiarize yourself with the data. Specifically, you need to know:

• What makes a good report

• Cost-benefit analysis of running a report

• What makes up a good high-fidelity report, and how to decide when to make a report investigative or high fidelity

• How to avoid great-but-impossible ...