Logging, Monitoring & Incident Response (expanded)25 items
Logging, Monitoring & Incident Response (expanded)25 items
Telemetry/IR → Centralized Logging & Correlation
Question: Are auth/admin/data-access/network logs centralized with correlation/trace IDs?
Applicable Requirements:
- NIST 800-53: AU-6, AU-12
- ISO 27001: A.12.4
- SOC 2: CC7.3
Applicability: All systems
Expected Result: Immutable logs; parsed; linked by IDs; alerts tuned.
Why It Matters: Accelerates detection and forensics.
Technical Breakdown:
- Adopt OpenTelemetry; WORM storage; PII filtering.
Telemetry/IR → Detection Engineering
Question: Are detections mapped to MITRE ATT&CK and unit-tested?
Applicable Requirements:
- NIST 800-53: SI-4
Applicability: SIEM/EDR/NDR
Expected Result: Detections in source control; test data; CI validation.
Why It Matters: Avoids gaps and false positives.
Technical Breakdown:
- Tag TTPs; coverage dashboard; suppress benign noise.
Telemetry/IR → IR Playbooks
Question: Are playbooks defined/tested for phishing, token theft, ransomware, data exfiltration?
Applicable Requirements:
- NIST 800-53: IR-4, IR-8
Applicability: All orgs
Expected Result: Documented steps; comms; legal/PR; quarterly tabletops.
Why It Matters: Reduces MTTR.
Technical Breakdown:
- Automate token revoke; session kills; contact trees.
Telemetry/IR → Threat Intel Integration
Question: Is curated TI integrated for blocking/hunting with expiry and confidence?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Log Integrity
Question: Are logs tamper-evident (hash-chained/signed) and stored immutably?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Retention & Privacy
Question: Are retention schedules enforced with privacy-by-design redaction?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Alert Triage SLAs
Question: Are triage and escalation SLAs defined and met with metrics?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Hunt Program
Question: Do you run periodic threat hunts with outcomes feeding detections?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Forensic Readiness
Question: Do you have pre-provisioned tooling and isolated evidence storage?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Deception Tech
Question: Are honey tokens/decoys deployed to detect lateral movement?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Third-Party IR
Question: Is there an on-retainer IR vendor with runbooks integrated?
Applicable Requirements:
- NIST 800-53: AU-6, SI-4, IR-4
- SOC 2: CC7.2, CC7.3
Applicability: Monitoring and response programs.
Expected Result: Documented, measured, and continuously improved controls.
Why It Matters: Improves time-to-detect/respond and evidentiary quality.
Technical Breakdown:
- Define KPIs; automate wherever feasible; review quarterly.
Telemetry/IR → Central Export (AWS CloudTrail)
Question: Are audit logs exported centrally with immutable retention and access controls?
Applicable Requirements:
- NIST 800-53: AU-6, AU-9
- SOC 2: CC7.3
Applicability: All cloud accounts/projects/tenancies.
Expected Result: Organization-level exports; retention ≥ 1 year; WORM; restricted readers.
Why It Matters: Prevents tampering and enables forensics.
Technical Breakdown:
- Central bucket/log analytics; alert on export config changes; periodic restore of logs.
Deep Dive
- AWS CLI: `aws s3api put-public-access-block --bucket <name> --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true`
- NIST SP 800-63B (Digital Identity Guidelines)
- AWS IAM Identity Center (SSO)
- Azure Entra Conditional Access
- Google Cloud IAM best practices
- SCIM Protocol
- MITRE ATT&CK
- NIST SP 800-61r2: Computer Security Incident Handling
- OpenTelemetry
- AWS CloudTrail Lake
- Azure Sentinel/Microsoft Sentinel
Telemetry/IR → Central Export (Azure Activity/Entra Logs)
Question: Are audit logs exported centrally with immutable retention and access controls?
Applicable Requirements:
- NIST 800-53: AU-6, AU-9
- SOC 2: CC7.3
Applicability: All cloud accounts/projects/tenancies.
Expected Result: Organization-level exports; retention ≥ 1 year; WORM; restricted readers.
Why It Matters: Prevents tampering and enables forensics.
Technical Breakdown:
- Central bucket/log analytics; alert on export config changes; periodic restore of logs.
Deep Dive
- Azure CLI: `az storage account update --name <acct> --allow-blob-public-access false` or APIM `validate-jwt` policy in inbound pipeline.
- NIST SP 800-63B (Digital Identity Guidelines)
- AWS IAM Identity Center (SSO)
- Azure Entra Conditional Access
- Google Cloud IAM best practices
- SCIM Protocol
- MITRE ATT&CK
- NIST SP 800-61r2: Computer Security Incident Handling
- OpenTelemetry
- AWS CloudTrail Lake
- Azure Sentinel/Microsoft Sentinel
Telemetry/IR → Central Export (GCP Audit Logs)
Question: Are audit logs exported centrally with immutable retention and access controls?
Applicable Requirements:
- NIST 800-53: AU-6, AU-9
- SOC 2: CC7.3
Applicability: All cloud accounts/projects/tenancies.
Expected Result: Organization-level exports; retention ≥ 1 year; WORM; restricted readers.
Why It Matters: Prevents tampering and enables forensics.
Technical Breakdown:
- Central bucket/log analytics; alert on export config changes; periodic restore of logs.
Telemetry/IR → Central Export (OCI Audit)
Question: Are audit logs exported centrally with immutable retention and access controls?
Applicable Requirements:
- NIST 800-53: AU-6, AU-9
- SOC 2: CC7.3
Applicability: All cloud accounts/projects/tenancies.
Expected Result: Organization-level exports; retention ≥ 1 year; WORM; restricted readers.
Why It Matters: Prevents tampering and enables forensics.
Technical Breakdown:
- Central bucket/log analytics; alert on export config changes; periodic restore of logs.
Deep Dive
- OCI CLI: `oci os bucket update --namespace <ns> --bucket-name <name> --public-access-type NoPublicAccess`
- NIST SP 800-63B (Digital Identity Guidelines)
- AWS IAM Identity Center (SSO)
- Azure Entra Conditional Access
- Google Cloud IAM best practices
- SCIM Protocol
- MITRE ATT&CK
- NIST SP 800-61r2: Computer Security Incident Handling
- OpenTelemetry
- AWS CloudTrail Lake
- Azure Sentinel/Microsoft Sentinel
Telemetry/IR → Operational Enhancements: SOAR Automation
Question: Is the following control enforced: SOAR Automation?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.2, CC7.3
Applicability: Common incidents
Expected Result: Automated enrichment/containment for frequent cases
Why It Matters: Improves speed, consistency, and evidence quality.
Technical Breakdown:
- Playbook KPIs; continuous tuning; feedback loops.
Telemetry/IR → Operational Enhancements: UEBA
Question: Is the following control enforced: UEBA?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.2, CC7.3
Applicability: User/entity analytics
Expected Result: Behavioral baselines; anomalous access alerts
Why It Matters: Improves speed, consistency, and evidence quality.
Technical Breakdown:
- Playbook KPIs; continuous tuning; feedback loops.
Telemetry/IR → Operational Enhancements: Mailbox Malware Scanning
Question: Is the following control enforced: Mailbox Malware Scanning?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.2, CC7.3
Applicability: Email ingress
Expected Result: Advanced phishing/malware filters and detonation sandbox
Why It Matters: Improves speed, consistency, and evidence quality.
Technical Breakdown:
- Playbook KPIs; continuous tuning; feedback loops.
Telemetry/IR → Operational Enhancements: IR Evidence Handling
Question: Is the following control enforced: IR Evidence Handling?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.2, CC7.3
Applicability: Chain of custody
Expected Result: Immutable evidence storage; documented handling
Why It Matters: Improves speed, consistency, and evidence quality.
Technical Breakdown:
- Playbook KPIs; continuous tuning; feedback loops.
Telemetry/IR → Operational Enhancements: Tabletop Metrics
Question: Is the following control enforced: Tabletop Metrics?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.2, CC7.3
Applicability: Program maturity
Expected Result: Track MTTA/MTTR and tabletop outcomes
Why It Matters: Improves speed, consistency, and evidence quality.
Technical Breakdown:
- Playbook KPIs; continuous tuning; feedback loops.
Telemetry/IR → Advanced Program Controls: Shadow IT Log Discovery
Question: Is the following control enforced: Shadow IT Log Discovery?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.3
Applicability: CASB/SASE
Expected Result: Detect unapproved SaaS usage and capture logs
Why It Matters: Matures the program and improves prevention/detection loops.
Technical Breakdown:
- Govern shadow IT; tune EDR; use PIRs to drive improvements.
Telemetry/IR → Advanced Program Controls: Privileged Audit Trails
Question: Is the following control enforced: Privileged Audit Trails?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.3
Applicability: Admin actions
Expected Result: Immutable trails with fine-grained details
Why It Matters: Matures the program and improves prevention/detection loops.
Technical Breakdown:
- Govern shadow IT; tune EDR; use PIRs to drive improvements.
Telemetry/IR → Advanced Program Controls: Malware Early Warning
Question: Is the following control enforced: Malware Early Warning?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.3
Applicability: EDR/AV
Expected Result: Heuristic and behavior-based pre-exec blocking
Why It Matters: Matures the program and improves prevention/detection loops.
Technical Breakdown:
- Govern shadow IT; tune EDR; use PIRs to drive improvements.
Telemetry/IR → Advanced Program Controls: Data Exfil Alerts
Question: Is the following control enforced: Data Exfil Alerts?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.3
Applicability: Egress/Cloud
Expected Result: Volume/geo/tenant anomalies alert
Why It Matters: Matures the program and improves prevention/detection loops.
Technical Breakdown:
- Govern shadow IT; tune EDR; use PIRs to drive improvements.
Telemetry/IR → Advanced Program Controls: Post-Incident Reviews
Question: Is the following control enforced: Post-Incident Reviews?
Applicable Requirements:
- NIST 800-53: IR-4, AU-6
- SOC 2: CC7.3
Applicability: Program
Expected Result: Blameless PIRs feeding backlog and control updates
Why It Matters: Matures the program and improves prevention/detection loops.
Technical Breakdown:
- Govern shadow IT; tune EDR; use PIRs to drive improvements.