Audit logs, at their core, are records that document the sequence of activities or events that affect an organization’s IT environment. They are akin to a digital ledger, meticulously chronicling every action, from user logins to system errors. The primary purpose of these logs is to provide a transparent and traceable account of all operations, crucial for detecting anomalies and preventing security breaches.
Audit logs might assist in IP protection of company property, phishing attacks or prevention of brute force failed login attempts and much more. in recent years we’ve seen big FAANG(tech) companies who haven’t used any logs, SIEM or SOAR tools to protected their IP, documents, files, code bae or anything else which resulted in long and years over years of lawsuits and battles in court. A famous case study is of Google VS Uber which both companies confirmed they reached a settlement valued at $245 million! in many cases it might be easier and safer to apply a simple audit log and trail to prevent anything like that.
What Logs Contain
Logs may contain variation of data that assist decision making by a security leader, researcher or analyst to determent what occur during an ongoing incident like data breach, leak or brute force login. Each company may add different data that help their security team understand the sequence of events that lead to an incident. For instance a company with various authentication levels or different roles in the company (owner, admin, engineer etc) might require logs to contain certain data type that represent whether if the user can access a specific data or position or placement within the company products and services (a company might want to restrict access to sensitive customer data for owners and admin only).
| Type of Data | Why It’s Important |
|---|---|
| Timestamp | Records the exact date and time of an event, essential for establishing the sequence and duration of activities. |
| User Activity | Details what actions users have performed, such as logins, file accesses, or changes made, crucial for tracking user behavior and identifying unauthorized actions. |
| Description | Provides context to the event or action, like the nature of a system error or the specifics of a configuration change, useful for understanding the impact and intent. |
| Source and Destination IP | Identifies where requests or actions originated and their target, important for pinpointing the source of potential attacks or unauthorized access. |
| Resource Accessed | Indicates which files, systems, or data were accessed or modified, key for detecting unauthorized or unusual access to sensitive resources. |
| System Warnings/Errors | Logs system-generated warnings or error messages, essential for identifying potential system failures, security flaws, or attempted breaches. |
| Command Executed | Records specific commands or actions executed within a system, crucial for auditing changes and identifying potentially malicious activities. |
| Access Level/Permissions | Details the level of access or permissions involved in an event, helping to determine if the correct authorization was used for a particular action. |
| Network Traffic Data | Includes information on network flow, such as volume, protocols used, and ports, important for identifying abnormal network activity that could indicate a breach. |
| Authentication Details | Records information related to user authentication processes, like login attempts and password changes, vital for spotting unauthorized access attempts. |
Log Services
There are a few companies and tech startup that provide log services for a company, in some cases some companies might decide to write their own log service to collect their own data and be compliance with security demands for certain certifications like ISO 27001, SOC2. Below are list of startup companies that provide those logs.
| Tool/Service | Description |
|---|---|
| Logz.io | A cloud-based log analysis service that uses Elasticsearch, Logstash, and Kibana for log aggregation and visualization. It’s designed for scalable and efficient log monitoring and analysis. |
| JFrog | Offers solutions like Artifactory for managing binaries and artifacts through the software development process. It includes logging capabilities for audit trails and compliance. |
| Atera | A remote monitoring and management software primarily for IT service providers, featuring logging for tracking system health, performance, and security incidents. |
| Datadog | A monitoring and analytics platform that aggregates and analyzes logs from various sources for performance monitoring, security analytics, and operational troubleshooting. |
| SolarWinds Log & Event Manager | A comprehensive SIEM solution that provides real-time log collection, monitoring, and analysis, specifically designed to make identifying and responding to IT threats simple. |
Cyber Forensics Analyst and Audit Logs
Cyber Security Forensic analyst might read throughout audit logs to detect incident and respond correctly to an ongoing or previously occurring issue. Below we’ll go over sequence of events of Security Forensic Analyst that use audits to detect incidents:
1. Initial Detection of Anomalies:
- Alerts: Audit logs often trigger alerts for unusual activities like repeated failed login attempts, unusual data access patterns, or unexpected changes in system configurations.
- Anomaly Detection: Cyber forensics teams analyze these logs to identify anomalies that deviate from normal behavior, which could indicate a security incident.
2. Timeline Reconstruction:
- Event Sequencing: By examining timestamped entries in audit logs, investigators can reconstruct the sequence of events leading up to and following an incident.
- Contextual Analysis: Understanding the context around each log entry helps in piecing together how the incident occurred.
3. Identifying the Source:
- IP Addresses and User Accounts: Logs provide information like source IP addresses and user account details, which are used to trace back the origin of an incident. Having the entire sequence of events, logs and data without telling who’s the person behind the incident won’t help us to response correctly(is it internal or external threat?)
- Access Patterns: Investigators look at access logs to determine if there was unauthorized access to sensitive data or systems.
4. Understanding the Scope:
- Extent of Compromise: Audit logs help in determining the extent of a security breach, such as which systems were compromised and what data was accessed or exfiltrated. scoping the incident with the audits help the forensic analyst to pin point the incident and reduce the amount of research that needs to be done revolving the issue.
- Damage Assessment: By analyzing the logs, the team assesses the impact of the incident on the organization’s assets. scoping the incident assist in improving the speed of the response that the company will do.
5. Evidence Collection:
- Legal Admissibility: Logs serve as a form of digital evidence that can be used in legal proceedings. The integrity of the data can make a huge difference between court cases that succeed to ones that fail.
- Integrity Verification: Ensuring the integrity of audit logs is crucial so they can be relied upon during an investigation.
6. Incident Response:
- Immediate Actions: Based on findings from log analysis, immediate actions such as isolating affected systems or revoking compromised credentials are taken.
- Remediation Strategies: Audit logs guide the development of remediation strategies to prevent similar incidents in the future.
7. Compliance and Reporting:
- Regulatory Requirements: Logs are often reviewed to ensure compliance with regulatory standards that mandate breach investigations and reporting.
- Incident Reporting: Detailed reports based on log analysis are prepared for internal review and, if necessary, for reporting to authorities.
A talented Security Forensic Analyst can make a huge difference between the ability to scope the incident, to determine which assets were compromise to the ability to response quickly, all of which may reduce the pain, issues and the lost of money due to legal issues or shutting down of company services.
To summarize, Having audit logs can make a difference however having the right people that read and analyze the data can make a huge difference.
I am a software engineer with 20 years of experience of writing code, Software languages, Large scale web application, security and data protection of online digital assets in various software systems and services. I’ve decided to write and share my interests in cyber security online and information security to help and improve white hat security, safety and privacy of our online digital assets, As companies, as individuals or experts providing services. In here you’ll be able to read freely about cyber security threats, detections, common problems, services, news and everything related to information security and cyber security – enjoy and feel free to contact me via the contact page for any question.