Skip to content

Recommended Logs

Securonix is a powerful platform that enables our analysts to detect and triage incidents. It can collect data from a host of technologies to enable our SOC to:

  • Provide additional context for a primary indicator
  • Enable unique detection of threats

We’re solely focused on providing better security so we recommend only sending us logs that provide high security value. If you have logs that you want to setup specific alerts for, that works as well. Here’s what we recommend sending over and why.

Identity Directory #

Identity has become one of the primary attack vectors and user behavioral analytics is one of the few ways to identify credential abuse. Sending IDP logs is critical to enabling visibility.

  • Securonix will analyze a wide range of behaviors for each user - not just login time and location including resource access
  • Examples: Active Directory, EntraID (Azure Active Directory), Google Workspace, Okta

Other Identity Logs #

Any logs that contain user information will be correlated together to build a user’s profile. Additional identity logs on top of the IDP can expand our identity visibility

  • Examples: SaaS applications such as SFDC, Box, password managers

Network Security Logs #

All of our bundled technologies provide great visibility at the endpoint whether a user is in or outside of the office. Network telemetry can provide great context for our analysts. In particular, it can help detect potential threats where an agent may not have been deployed or potentially malfunctioning.

  • Securonix will correlate the traffic against known bad destinations and also perform behavioral analytics to identify network anomalies
  • The more modules enabled on these devices, the higher the value. This can include proxy services, network IPS and sandboxes.
  • Note that these devices generate very high EPS (events per second) and generally require additional licenses
  • Exampels: firewalls, network IPS, NTAs (network traffic analysis), proxies, etc.

OS Logs #

While the bundled EDR provides great visibility into the endpoint, it is not exhaustive. It focused on bad actions rather than tracking all security related activity. Operating system logs can fill that gap.

  • Generally not a primary indicator but can detect misuse of local accounts that IDP monitoring doesn’t reveal
  • Particularly useful if you’ve already logging these centrally prior to SolCyber
  • Examples: Windows and Linux logs

Cloud Logs #

Access to cloud logs such as AWS Cloudtrail can extend our capabilities beyond normal IT. However, it’s important to note that this isn’t an exhaustive cloud security solution.

  • Highlights common threats such as account misuse and privilege escalation,
  • We recommend leveraging a dedicated cloud security tool such as WIZ or Laceworks if application security is a priority
  • Examples: Azure and AWS logs

Other Logs #

If you’ve made investments into any other security technologies, do let us know. We’re evaluate and let you know if there’s security value. You can see a full list of our supported products here: https://documentation.securonix.com/bundle/securonix-cloud-user-guide/page/content/active-deployment-guides/activity-import-connectors.htm