In this chapter, we discussed using the NIST 800-92 Guide to Computer Security Log Management to define the logging policy. We also explored the key components of a security monitoring framework, such as the log collector, SIEM, and threat intelligence. The security monitoring framework requires a source of information logs. We also discussed the source of information and stated what we are looking for in the logs. The application logs, host security logs, database logs, vulnerability scanning results, network security logs, and web and email security logs are typically the source logs for security monitoring.
We also introduced the toolset that you need to build your own in-house threat intelligence framework. We apply the threat intelligence framework to identify known and unknown threats. Some of the open source tools that are used to build a threat intelligence framework...