discuss specific technical log event data required. Information on how to configure this information can be found in multiple publications.32,33
Table 10. Example Incident Response Plays for IR Playbooks Play Category
Reconnaissance
Reconnaissance
Reconnaissance
Play
Vulnerability scanning sweep of DMZ
Vulnerability scan from known malicious IPs
Successful access from known malicious IPs
Source Data
Description
Large numbers of vulnerabili�es are scanned across the DMZ spectrum. Could involve scanning a single server over mul�ple ports or scanning mul�ple servers on a single port.
Vulnerability scans of the DMZ or other servers/endpoints exposed to the internet over channels that are shared and known to be malicious (IOC).
Successful authen�ca�ons from known malicious IP addresses. Authen�ca�ons through standard remote access channels, such as VPNs, virtual terminals, jump boxes, or other mechanisms.
Server list in DMZ
Intrusion detection system (IDS) or intrusion prevention system (IPS) logs configured to detect vulnerability scanning
Firewall logs
Netflow data
IOC list from threatsharing sources (e.g., ISACs)
IDS/IPS logs
Firewall logs
Netflow data
Authentication logs
Firewall logs
IOC list from threatsharing sources (e.g., ISACs)
32. David Swift, Successful SIEM and Log Management Strategies for Audit and Compliance, The SANS Institute, 2010, https://www.sans.org/reading-room/whitepapers/auditing/successful-siem-logmanagement-strategies-audit-compliance-33528. 33. Peter zanik and ala it, “The 6 Categories of Critical Log Information,” S!NS Technology Security Laboratory, last modified 2013, accessed February 4, 2018, https://www.sans.edu/cyberresearch/security-laboratory/article/sixtoplogcategories. 75
