ECS Premium Log Source Pack provides essential log telemetry across all 12 Tactics of MITRE ATT&CK. Events are normalized to Elastic Common Schema (ECS) to provide a structured and high quality data usable for threat hunting, real-time cross-device correlation and detection of 149 ATT&CK Techniques. Covering 52 complex data sources across the cloud and on premise most commonly used worldwide in enterprise and smaller companies. With an average of 2.5 days of development effort per log source, this package allows to directly save from 52 to 260 man/days on data integration and parser development when deploying Elastic stack for your company. Package contains config files for Logstash and API python modules to enable smooth and quick integration of listed log sources with the Elastic stack. This package is a premium add-on and can be purchased separately with any TDM subscription.
For individual log source support please contact Support or schedule a session with SOC Prime sales.
Official reference to ECS by Elastic https://www.elastic.co/guide/en/ecs/current/index.html
Product | Description | MITRE Data Sources |
Akamai | Used to deliver multimedia and software, as well as cloud security solutions. | |
Apache | Apache web server. | web logs |
AWS Classic ELB | Load-balancing service. Automatically distributes incoming application traffic and scale resources to meet traffic demands. | web logs |
AWS CloudFront | Provides a globally distributed network of proxies that cache content more locally for consumers, thereby increasing access speeds for downloading content. | web logs |
AWS CloudTrail | A service that allows you to keep logs, carry out continuous monitoring and save account history information. | Third-party application logs Authentication logs |
AWS VPC Flow Logs | Enables to capture information about the IP traffic going to and from network interfaces in your VPC. | Netflow/Enclave netflow |
Box | Cloud content management and file sharing service for businesses. | File monitoring Authentication logs Third-party application logs |
CA Privileged Access Manager (PAM) | Solution that helps secure, control, manage and monitor privileged access to critical assets. | Authentication logs Application Logs |
Check Point | Security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. | Network device logs Network intrusion detection system |
Cisco ASA | Security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. | Network device logs |
Cisco ISE | Network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company’s routers and switches. | Authentication logs Application Logs |
Citrix Director | Management console that allows administrators to control and monitor virtual desktops and applications. | Third-party application logs Authentication logs |
Crowdstrike alerts | Endpoint Detection and Response. | Process Monitoring Process command-line parameters Loaded DLLs DLL monitoring Windows Registry API monitoring File monitoring |
Cylance | Endpoint security solution that detects, prevents, and block threats. | Anti-virus |
DDI Guard | DNS servers (NCC Group) | DNS records |
F5 Big IP ASM | An on-prem load balancer will distribute load between a pool of application servers. | Network device logs |
G-Suite | Monitoring of product that groups all the cloud-based productivity Google and collaboration tools. Covers google drive, google calendar and authentication | Third-party application logs Authentication logs File monitoring |
Imperva WAF | Web Application Firewall imperva Securesphere | Web application firewall logs |
MS Internet Information Server (IIS) | Microsoft web server. | Web logs |
Linux (Cloudwatch log files) | Can track security-relevant events, record the events in a log file, and detect misuse or unauthorized activities by inspecting the audit log files. | Authentication logs |
Linux Audit | Can track security-relevant events, record the events in a log file, and detect misuse or unauthorized activities by inspecting the audit log files. | Authentication logs |
Mcafee mvision | Delivers unified management and automated workflow control for Windows. | Anti-virus |
McAfee NSM | Manager gives real-time visibility and control over all McAfee intrusion prevention systems deployed across network. | Network intrusion detection system |
Microsoft Cloud App Security | MIcrosoft Cloud Access Security Broker that operates on multiple clouds. It provides visibility, control over data travel, and analytics to identify and combat cyber threats across cloud services. | Third-party application logs |
Microsoft Exchange Server | Email, calendaring, contact, scheduling and collaboration platform for use within an enterprise. | Mail server Authentication logs |
MS SCCM | Platform provides remote control, patch management, software distribution, operating system deployment, network access protection and hardware and software inventory. | Asset Management Sensor health and status |
MS SQL Server | Microsoft relational database management system. | Services Authentication logs |
MySQL | Open-source relational database management system. | Services Authentication logs |
Netflow | Netflow protocol versions 5 and 9. | Netflow/Enclave netflow |
NetScaler | Application delivery controller with remote access functionality (Citrix Systems). | Third-party application logs Authentication logs |
Nextron Systems Asgard | The central management platform which manages distributed THOR/SPARK scans. | Binary file metadata Process command-line parameters Loaded DLLs DLL monitoring Windows Registry |
Office365 | Provides a set of software tools and services that facilitate office documentation, communication and management tasks. Integration covers OneDrive, SharePoint Online, Exchange Online, Azure Active Directory logs. | Third-party application logs Authentication logs File monitoring |
Okta | Okta Identity Cloud provides secure identity management with Single Sign-On and Multi-factor Authentication | Authentication logs Third-party application logs |
Open VPN | OpenVPN is an open-source commercial software that implements virtual private network techniques to create secure point-to-point or site-to-site connections. | Authentication logs |
Oracle Audit | Oracle relational database management system Auditing via syslog | Services Authentication logs |
Oracle DB | Oracle relational database management system Auditing via DB link | Services Authentication logs |
Oracle XML file | Oracle relational database management system Auditing via XML files | Services Authentication logs |
PingFederate | Provides identity management, web single sign-on and API security. | Application Logs Authentication logs |
PipeDrive | CRM cloud application. | Third-party application logs Authentication logs |
Proofpoint POD | Cloud-based solution to control inbound and outbound email traffic. | Email gateway Third-party application logs |
Qualys | Vulnerability Scanner engine (VM module) | Asset Management Browser extensions Binary file metadata |
SailPointIQ | Provides a unified method to password management, compliance and provisioning actions for purposes running on-areas or from cloud. | Application Logs |
SAP | ERP software (SAP AG) to manage business operations | Application Logs Authentication logs |
SMTP | Linux standard mail server | Mail server |
Sourcefire IPS | Intrusion prevention system with network visibility into hosts, operating systems, applications, services, protocols, users, content, network behavior and network attacks and malware. | Network intrusion detection system |
Symantec Advanced Threat Protection (ATP) | Email protection and filtering gateway. | Email gateway |
Symantec Endpoint Protection | Combines virus protection with advanced threat protection to proactively secure client computers. | Anti-virus |
Tenable Nessus | Vulnerability Scanner engine. | Asset Management Browser extensions Binary file metadata |
Windows (Cloudwatch log files) | Windows Active Directory service log (Microsoft-Windows-ActiveDirectory_DomainService) delivered over AWS cloudwatch platform | Windows event logs |
Windows (Cloudwatch log files) (Server 2008-2016, 7-10) | Windows Security log, Application log and System log delivered over AWS cloudwatch platform | Windows event logs |
Zerofox | Cloud platform using for eliminating complex targeted security threats and business risks across all social media and digital platforms. | Third-party application logs |
Zscaler Nanolog Streaming Service (NSS) | Zscaler Internet Access Proxy logs streamed over NSS device with default fields configuration | Web proxy SSL/TLS inspection |
Zscaler Private Access (ZPA) | ZPA service enables organizations to provide access to internal applications and services. | Authentication logs |
Zoom | Remote conferencing cloud service with remote access capabilities. | Third-party application logs Authentication logs |
