LinkedInGitHub

Log Management

What is Log Management?

Log Management is a system that gives you access to all the different types of logs in your environment from a single place. This includes logs from web servers, operating systems (OS), firewalls, proxy servers, Endpoint Detection and Response (EDR) tools, and more. Having all logs in one location makes managing them more efficient and saves time.

Without a centralized Log Management system, if you needed to find specific information (like identifying all users on "letsdefend.io"), you would have to make the same request to many different devices. This approach would take more time and increase the chances of making mistakes.

For example, on a platform like LetsDefend, the "Log Management" page shows various log sources (like Proxy, Exchange, Firewall) categorized by "Type". This means you can view logs from all these different sources with a single query.

Purpose of Log Management

Security Operations Center (SOC) analysts often use Log Management to check for any communication with a specific address and to see the details of that communication.

Here are a couple of scenarios illustrating its use:

  1. Investigating Malware Communication: If you discover malware that is communicating with a command and control (C&C) center (e.g., "letsdefend.io"), you can use Log Management to search across your entire company's logs. This helps determine if any devices in your network have tried to communicate with that C&C center.

  2. Responding to Security Alerts: Imagine you receive a Security Information and Event Management (SIEM) alert that a device (e.g., LetsDefendHost) is leaking data to a suspicious IP address (e.g., 122[.]194[.]229[.]59). After isolating the device and taking necessary actions, you still need to find out if other devices are also sending data to that same suspicious IP address. Even if the alert only mentioned one device, you should search the suspicious address in Log Management to uncover any other potential connections that the system might not have initially detected.

PreviousSOCNextSIEM and Analyst Relationship

Last updated