The Role of Log and Event Analysis in SOCs

Log and event analysis form a crucial pillar of modern security operations center (SOC) functions. By centralized collection and monitoring of log data from endpoints, networks, and applications, SOCs gain visibility into potential security issues across the enterprise infrastructure.

Security information and event management (SIEM) platforms ingest logs from disparate sources and use correlation to identify anomalies and suspicious patterns indicative of a security incident, like an emerging malware infection or a brute force login attack (Kidd 2023).

For example, an SIEM could correlate failed login events from virtual private network (VPN) servers with suspicious internet traffic from endpoint agents to detect potential intrusions.

Some key event sources monitored by SOCs through logging include

• Firewalls and proxy servers for signs of reconnaissance and unauthorized access.
• VPN concentrators and remote access solutions to identify compromised credentials.
• Domain controllers and authentication systems like Active Directory for credential misuse and policy violations.
• Email servers and gateways to detect phishing campaigns or spam.
• Endpoints across desktops, servers, and mobile devices for indicators like the execution of malware, malicious processes, and file system changes.
• Cloud platforms and applications for misconfigurations, unauthorized activity, and excessive permissions.

Use cases enabled by collecting ...