The purpose of this post is to provide guidance for SOC teams to develop a logging strategy that can be used to evaluate and document relevant log sources and their importance. Use this as a template to design your own SOC logging strategy.
1. Purpose
This policy establishes guidelines for the collection, filtering, storage, and analysis of security logs within the organization. Its goal is to ensure that log data is effectively used to support threat detection, incident response, compliance, and forensic investigations, while minimizing operational overhead and cost.
2. Objectives
- Ensure the collection of high-value security logs.
- Reduce ingestion of low-value/noisy logs.
- Prioritize logs that support detection use cases, incident response investigations, and audit/compliance requirements.
- Maintain scalability and cost-efficiency of the SIEM platform.
3. Log Source Prioritization
| Log Source Type | Priority | Reason |
|---|---|---|
| Domain Controllers | Very High | Authentication, privilege changes, GPOs |
| Windows Servers | High | Endpoint telemetry |
| Windows Workstations | High | Endpoint telemetry |
| Linux Servers | High | Endpoint telemetry |
| Linux Workstations | High | Endpoint telemetry |
| Firewalls | High | Network traffic visibility, block/allow |
| VPN Servers | High | Authentication, network traffic visibility |
| Critical Applications | Medium-High | Access control, authentication, errors |
| File Servers | Medium | Sensitive data access |
| Database Servers | Medium | Sensitive data access |
| Web Servers | Medium | Network traffic visibility |
4. Collection Principles
- Use Case Driven: Only collect logs that map to a defined use case or alert including audit and incident response use cases.
- Minimal Viable Logging: Capture the least amount of data needed to be effective.
- Source-side Filtering: Drop or suppress verbose, duplicate or noisy logs before SIEM ingestion.
- Tiered Logging: Route logs to SIEM, cold storage, or discard based on criticality.
5. Event Filtering Guidelines
| Log Type | Action |
|---|---|
| Successful Authentications | Sample or suppress (except on critical systems and domain controllers) |
| Failed Authentications | Ingest |
| Process Creation | Ingest from high-risk systems |
| Firewall Allows | Sample or drop |
| Firewall Denies | Ingest |
| Applications Logs | Ingest only auth/errors |
6. Retention & Storage
- SIEM Hot Storage: 30-90 days for active hunting and detection.
- Cold/Archive Storage: 1-2 years for compliance/forensics.
- Compression & Deduplication: Enable to reduce size.
7. Review & Maintenance
- Quarterly Log Review: Assess value and adjust ingestion.
- Use Case Audit: Validate that logs support detection logic.
- Volume Reporting: Track top log sources and high-traffic event types.
8. Log Access and Security
- Access to logs is restricted to authorized personnel based on role.
- Logs must be protected from unauthorized alteration or deletion in-transit and at-rest.
- All access to log management systems must be logged and monitored.
9. Governance
- Document ownership for each log source.
- Maintain logging requirements for onboarding new systems.
- Align with regulatory and compliance obligations (e.g., ISO 27001, PCI-DSS, etc.).