Most Useful Reports Based On Log Data?

By Anton Chuvakin
July 14, 2010

Some of you remember the project started at SANS Log Management Summit 2006 called "SANS Top 5 Essential Log Reports." You can still grab the old document here [PDF]. 

Recently, I volunteered to create a 2010 version of SANS Top 5 Log Reports and have collected the report types and specific examples below as candidates for a new Top 7 Essential Log Reports list - and now I need your help with refining and expanding the list of reports below!


NEW PROPOSED Top 7 Essential Log Reports

Top Log Report Candidate 1. Authentication and Authorization Reports

a. Login Failures and Successes

b. Attempts to gain unauthorized access through existing accounts

c. Privileged account access (success, failure)

d. VPN Authentication and other remote access (success, failure)

e. Please add more reports you find useful!

Top Log Report Candidate 2. Change Reports

a. Addition/Changes/Deletions to Users, Groups and Services

b. Change to configurations

c. Application installs and Updates

d. Please add more reports you find useful!

Top Log Report Candidate 3. Network Activity Reports [used to be called "Suspicious or Unauthorized Network Traffic Patterns" in the old Top 5 list]

a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections

b. Network Services Transiting A Firewall

c. Top Largest File Transfers Through the Firewall

d. Internal Systems Using Many Different Protocols/Ports

e. Top Internal Systems With NIDS Alerts

f. Proxy Report on File Uploads

g. Please add more reports you find useful!

Top Log Report Candidate 4. Resource Access Reports

a. File

i. Failed File or Resource Access Attempts

b. Database

i. Top Database Users

ii. Summary of Query Types

iii. SELECT Data Volume

iv. All Users Executing INSERT/DELETE Commands

v. Database Backups

c. Email

i. Top Internal Email Addresses by Volume of Messages

ii. Top Attachment Types with Sizes

iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server

c. Please add more reports you find useful!

Top Log Report Candidate 5. Malware Activity Reports

a. Top systems with anti-malware events

b. Detect-only events from anti-malware tools ("leave-alones")

c. Anti-virus protection failures by type

d. Internal malware connections (all sources)

e. Please add more reports you find useful!

Top Log Report Candidate 6. "Various FAIL"

a. Critical Errors

b. Backup failures

c. Capacity / Limit Exhaustion

d. System and Application Starts, Shutdowns and Restarts

e. Please add more reports you find useful!

Top Log Report Candidate 7. Analytic Reports  [Mostly Using "Never Before Seen" (NBS) aka "NEW Type/Object" Analysis]

a. NEW (NBS) IDS/IPS Alert Types

b. NEW (NBS) Log Entry Types

c. NEW (NBS) Users Authentication Success

d. NEW (NBS) Internal Systems Connecting Through Firewall

e. NEW (NBS) Ports Accessed

f. NEW (NBS) HTTP Request Types

g. NEW (NBS) Query Types on Database

h. Please add more NBS or other analytic reports you find useful!

So, please help this project by commenting via whatever means - blog, twitter, email, etc.

BTW, I think I perused all the previous efforts to distill the best log reports (such as this one), but feel free to point me to such things as well.

Possibly related posts:


You might also be interested in:

News Topics

Recommended for You

Got a Question?