ContactSupportBlogPartner Portal

Reporting Up: Recommendations for Log Analysis

March 24, 2019

What kind of log information should be reported up the chain?

At a certain point during log examination analysts start to ask, “What information is important enough to share with my supervisor?” This post covers useful categories of information to monitor and report that indicate potential security issues. And remember: reporting up doesn’t mean going directly to senior management. Most issues can be reported directly to an immediate supervisor.

Policy Violations

This type of information indicates someone is doing something they’re not supposed to. To identify policy violation issues, monitor:

·    Non-service accounts where, for example, a user or admin account is being used for services instead of a service account

·    Account sharing indicating multiple staff members using a single account (e.g., logins from different locations or networks at a similar time)

Significant Shifts in Statistics

Monitoring a significant change in statistics means looking at volume of particular events as an indicator that something might be wrong. Examples include:

·     Failed logins to critical resources (e.g., failed attempts on the finance server)

·     Increased communication with known malware/bad actor sites, such as identifying a list of malware domains and any users communicating with them

·     Significant uptick in bytes transferred, which suggests someone may be moving a lot of data in or out of the network

Overall Areas to Monitor and Report

There are also plenty of areas you should monitor regularly and report up if unusual activity suggests there may be an issue, such as:

·     Account types

Monitoring usage of account types like service accounts, privileged accounts (e.g., administrators, users with access to critical resources, executive accounts), dormant accounts and recently terminated accounts help identify if the account is being misused or accessed by the wrong people.  

·     Physical security

Information about access control such as badge swipes or RFID data can help identify security issues at facilities and workplaces.

·     User logins by department

Report to each department where and when users are logging in to ensure personnel access assets appropriately.

·     Login monitoring

Login monitoring can include logins outside of business hours and remote logins vs.local logins to gauge after-hours or remote activity.  

·     Privileged account creation

Privileged accounts are rare, so several accounts being created may indicate an issue.

·     New software installations

If there are policies in place on what can be uploaded, tracking software installations shows if employees aren’t playing by the rules.

·     New processes in an environment

If a process is identified that was not there before, it could be an early indication of a malware compromise.

·     Bandwidth usage

Tracking bandwidth usage can include examining high usage in general and/or high-bandwidth-using users or resources (which may signal an attempt to exfiltrate data).

·     Assets connecting from a new location

If assets that connect to the network from a particular (or assigned) location are connecting from a new location, it might be a warning sign.

·     Connection attempts by stolen assets

A lost laptop or mobile device that attempts to connect to your environment may suggest a security risk.

·     Unusual patterns in downloads

This type of activity could indicate an issue—especially if tied to other unusual usage.

Conclusion      

With the volume of log data available, monitoring data related to policy violations, a significant shift in statistics, and general network activity is a good place to start reporting up.Knowing what to share with supervisors increases both the value of log data and your value to the organization.

Written By

@
Add Graylog to your RSS feed
How to use RSS
RSS feeds allow you to see when websites have added new content. You can get the new content as soon as it's published, without having to visit the website. To start getting RSS feeds you will need a RSS feed reader on your device.
Back to Blog Posts

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!