SANS 6 Categories of Critical Log Information

by Josef Weiss
January 16, 2014

The focus of the SANS Top 6 Categories of Critical Log Information is log management and reporting. This dashboard parses log events utilizing Tenable’s Log Correlation Engine and Passive Vulnerability Scanner. Events are presented to the analyst across a series of customizable indicator matrices, tables and trending components for each category. Components should be customized to fit your organizational needs.

The SANS 6 categories are:

1. Authentication and Authorization Reports 2. Systems and Data Change Reports 3. Network Activity Reports 4. Resource Access Reports 5. Malware Activity Reports 6. Failure and Critical Error Reports

SANS 6 - Category 1 - Authentication and Authorization

This indicator matrix identifies failed attempts at logins and authentication failures, as well as authentication guessing or guessed events.

SANS 6 - Category 2 - System and Data Changes

This indicator matrix alerts on various system and critical security changes to devices and networked assets.

SANS 6 - Category 3 - Network Activity

This component displays a 7-day trend analysis of network events. Observed application logs from the Passive Vulnerability Scanner as well as logs from the Tenable NetFlow Monitor (TFM) and the Tenable Network Monitor (TNM) are logged to this LCE event type. Event names are used to designate the collection type (PVS, TNM, or TFM) as well as session length and amount of bandwidth transferred.

Real-time logs from the Passive Vulnerability Scanner, Sourcefire’s RNA, ArpWatch, and some other sources that indicate network changes are also logged. The PVS will log application sessions based on protocols such as SSH, SSL, VNC, RDP, and other applications.

SANS 6 - Category 4 - Resource Access

This component displays login and logout failures. It also provides a representation of login/logout activity over a defined time period.

SANS 6 - Category 5 - Malware Detection - Malware Indicator (Component 1)

This component takes many of the various detection technologies for botnets, malicious file hashes, anomalous network traffic, spikes in system logs and continuous scanning activity, and places them into one spot.

SANS 6 - Category 5 - Malware Detection - Malware Events (Component 2)

This component displays a summary of events of type 'virus' that have occurred in the last 7 days. These events were reported by various applications and collected by the LCE. For each event, a count of occurrences is shown.

SANS 6 - Category 6 - Failures and Errors

Displays a total for the number of Normalized Events seen over the past 48 hours. Also displays a matrix of log items that may be of importance, such as DoS events, DNS failures, error spikes, system crashes, and firewall spikes.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets. The dashboard requirements are:

  • SecurityCenter 4.7.1
  • Nessus 5.2.4
  • LCE 4.2.1