Loading . . .

ECS Premium Log Source Pack

Sign Up Sign In
Description:

ECS Premium Log Source Pack provides essential log telemetry across all 12 Tactics of MITRE ATT&CK. Events are normalized to Elastic Common Schema (ECS) to provide a structured and high quality data usable for threat hunting, real-time cross-device correlation and detection of 149 ATT&CK Techniques. Covering 52 complex data sources across the cloud and on premise most commonly used worldwide in enterprise and smaller companies. With an average of 2.5 days of development effort per log source, this package allows to directly save from 52 to 260 man/days on data integration and parser development when deploying Elastic stack for your company. Package contains config files for Logstash and API python modules to enable smooth and quick integration of listed log sources with the Elastic stack. This package is a premium add-on and can be purchased separately with any TDM subscription.

For individual log source support please contact Support or schedule a session with SOC Prime sales.

Official reference to ECS by Elastic https://www.elastic.co/guide/en/ecs/current/index.html

Product 

Description

MITRE Data Sources

Akamai

Used to deliver multimedia and software, as well as cloud security solutions.

 

Apache

Apache web server.

web logs

AWS Classic ELB

Load-balancing service. Automatically distributes incoming application traffic and scale resources to meet traffic demands.

web logs

AWS CloudFront

Provides a globally distributed network of proxies that cache content more locally for consumers, thereby increasing access speeds for downloading content.

web logs

AWS CloudTrail

A service that allows you to keep logs, carry out continuous monitoring and save account history information.

Third-party application logs

Authentication logs

AWS VPC Flow Logs

Enables to capture information about the IP traffic going to and from network interfaces in your VPC.

Netflow/Enclave netflow

Box

Cloud content management and file sharing service for businesses.

File monitoring Authentication logs

Third-party application logs

CA Privileged Access Manager (PAM)

Solution that helps secure, control, manage and monitor privileged access to critical assets.

Authentication logs

Application Logs

Check Point

Security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities.

Network device logs

Network intrusion detection system

Cisco ASA

Security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities.

Network device logs

Cisco ISE

Network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches.

Authentication logs

Application Logs

Citrix Director

Management console that allows administrators to control and monitor virtual desktops and applications.

Third-party application logs

Authentication logs

Crowdstrike alerts

Endpoint Detection and Response.

Process Monitoring

Process command-line parameters

Loaded DLLs

DLL monitoring

Windows Registry

API monitoring

File monitoring

Cylance

Endpoint security solution that detects, prevents, and block threats.

Anti-virus

DDI Guard

DNS servers (NCC Group)

DNS records

F5 Big IP ASM

An on-prem load balancer will distribute load between a pool of application servers.

Network device logs

G-Suite

Monitoring of product that groups all the cloud-based productivity Google and collaboration tools. Covers google drive, google calendar and authentication

Third-party application logs

Authentication logs

File monitoring 

Imperva WAF

Web Application Firewall imperva Securesphere

Web application firewall logs

MS Internet Information Server (IIS)

Microsoft web server.

Web logs

Linux (Cloudwatch log files)

Can track security-relevant events, record the events in a log file, and detect misuse or unauthorized activities by inspecting the audit log files.

Authentication logs

Linux Audit

Can track security-relevant events, record the events in a log file, and detect misuse or unauthorized activities by inspecting the audit log files.

Authentication logs

Mcafee mvision

Delivers unified management and automated workflow control for Windows.

Anti-virus

McAfee NSM

Manager gives real-time visibility and control over all McAfee intrusion prevention systems deployed across network.

Network intrusion detection system

Microsoft Cloud App Security

MIcrosoft Cloud Access Security Broker that operates on multiple clouds. It provides visibility, control over data travel, and analytics to identify and combat cyber threats across cloud services.

Third-party application logs

Microsoft Exchange Server

Email, calendaring, contact, scheduling and collaboration platform for use within an enterprise.

Mail server

Authentication logs

MS SCCM

Platform provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory.

Asset Management 

Sensor health and status

MS SQL Server

Microsoft relational database management system.

Services

Authentication logs

MySQL

Open-source relational database management system.

Services

Authentication logs

Netflow

Netflow protocol versions 5 and 9.

Netflow/Enclave netflow

NetScaler

Application delivery controller with remote access functionality (Citrix Systems).

Third-party application logs

Authentication logs

Nextron Systems Asgard

The central management platform which manages distributed THOR/SPARK scans.

Binary file metadata

Process command-line parameters

Loaded DLLs

DLL monitoring

Windows Registry

Office365

Provides a set of software tools and services that facilitate office documentation, communication and management tasks. Integration covers OneDrive, SharePoint Online, Exchange Online, Azure Active Directory logs.

Third-party application logs

Authentication logs

File monitoring

Okta

Okta Identity Cloud provides secure identity management with Single Sign-On and Multi-factor Authentication

Authentication logs

Third-party application logs

Open VPN

OpenVPN is an open-source commercial software that implements virtual private network techniques to create secure point-to-point or site-to-site connections.

Authentication logs

Oracle Audit

Oracle relational database management system Auditing via syslog

Services

Authentication logs

Oracle DB

Oracle relational database management system Auditing via DB link

Services

Authentication logs

Oracle XML file

Oracle relational database management system Auditing via XML files

Services

Authentication logs

PingFederate

Provides identity management, web single sign-on and API security.

Application Logs

Authentication logs

PipeDrive

CRM cloud application.

Third-party application logs

Authentication logs

Proofpoint POD

Cloud-based solution to control inbound and outbound email traffic.

Email gateway

Third-party application logs

Qualys

Vulnerability Scanner engine (VM module)

Asset Management

Browser extensions

Binary file metadata

SailPointIQ

Provides a unified method to password management, compliance and provisioning actions for purposes running on-areas or from cloud.

Application Logs

SAP

ERP software (SAP AG) to manage business operations

Application Logs

Authentication logs

SMTP

Linux standard mail server

Mail server

Sourcefire IPS

Intrusion prevention system with network visibility into hosts, operating systems, applications, services, protocols, users, content, network behavior and network attacks and malware.

Network intrusion detection system

Symantec Advanced Threat Protection (ATP)

Email protection and filtering gateway.

Email gateway

Symantec Endpoint Protection

Combines virus protection with advanced threat protection to proactively secure client computers.

Anti-virus

Tenable Nessus

Vulnerability Scanner engine.

Asset Management

Browser extensions

Binary file metadata

Windows (Cloudwatch log files) 

Windows Active Directory service log (Microsoft-Windows-ActiveDirectory_DomainService) delivered over AWS cloudwatch platform

Windows event logs

Windows (Cloudwatch log files)

(Server 2008-2016, 7-10)

Windows Security log, Application log and System log delivered over AWS cloudwatch platform

Windows event logs

Zerofox

Cloud platform using for eliminating complex targeted security threats and business risks across all social media and digital platforms.

Third-party application logs

Zscaler Nanolog Streaming Service (NSS)

Zscaler Internet Access Proxy logs streamed over NSS device with default fields configuration

Web proxy

SSL/TLS inspection

Zscaler Private Access (ZPA)

ZPA service enables organizations to provide access to internal applications and services.

Authentication logs

Zoom

Remote conferencing cloud service with remote access capabilities.

Third-party application logs

Authentication logs