Malware protection (eg.

anti-virus) logs

• HTTP proxy logs Network intrusion detection systems (NIDS)

File Integrity Monitoring
DNS, DHCP and FTP logs Network intrusion prevention systems (NIPS)

Web and SQL server logs Technical Data loss protection (DLP)
Server Access Logs
Tools that employ potential malware Cybersecurity Tools
Appflow logs
isolation and investigation techniques (eg.
Spams
sandboxing or virtual execution engines) Phishing Emails Malwares
System activity logs (eg. Administrator), Application Server (Website)
including storage Other relevant security management Server Access Activities
appliances or tools
• Endpoint (and agent-based) logs

Logs from standard (eg. SAP) and

customised applications System

Authentication (eg. Windows) logs

Physical security logs

EDR
Starters
• Email, firewall, VPN and Netflow logs Logs
Networking Movers

Regarding Suspicious Processes IDS

Leavers
IAM
SSO
Configuration and Compliance
Vulnerabilities Logon Activities
IAM SaaS

IPS
Phishing Activities
Malicious EXEs using Bulk Hash Search
Execution

Suspicious Network Activities Persistence

Outdated Everything
Privilege Escalation

Credential Access

Number of Attacks Defense Evasion

Unauthorised Changes on System, Registry,
Server, Application Discovery

Lateral Movement

Exfiltration

Firewall

Malicious/Suspicious Activities

SIEM Doormant Accounts

Via Third-Party Informing
Non-Approved Software Installation Via Employee Informing
Usage of Remote Administration Tools
Encryption at Rest
Accounts Pertaining to left users

Encryption at Motion
Via Help Desk Team User Accounts

Incidents Monitoring
Data Security

Usage of Virtual Devices

Floating Topic
Application Management
Domain Accounts
Accounts

Local Admin Accounts

Usage of Proxy/VPN Tools

Mobiles

Company Provided Devices Tablets

Devices

BYOD

Expired Passwords What's your SOC USB

monitoring
Password Policy

Passwords not set in last 3 months

EDR

Malwares
Patches

Anti-Malware

CASB Non-Approved Desktop Based Cloud Apps

File-Sharing Tools
Third-party softwares Threat Intelligence Feeds
Non-Approved Clour URLs

Backup Monitoring

Windows
Feeds - IPs, Hashes, Filenames, Threat
Configuration Changes Actors, URLs, Domains

Custom Feeds Commercial Feeds

All Unix and MAC OS

Open Source Feeds

Active Directory

Change Requests
Networking Devices

Servers

VM team
Clients
Vulnerabilities and Alerts
Scanners
Workstations
Firewall
Pentest Services
Servers

Compliance Team
IDS/IPS
Operating Systems

Applications
Proxy Wi-Fi