Hey Biasnarrative,
Great questions. I'm not sure if I understand exactly what you mean but i'll give it a go. LIDS- having a Log based Intrusion Detection system set up for your IDS/IPS strategy can help filter specific logs to your SIEM for more efficient monitoring. This will also cut down the number of logs files sent to your SIEM (Splunk, sumo, etc) which would lower your bill.
As for activities that can be overlooked when logging cloud infrastructure, warning signs of compromise can be overlooked, user attribution. If your coworker Marissa spun up an EC2 instance without your orgs proper security policy applied, your log files might only tell you what they see on the surface. The fact that someone named "Marissa" or someone with the email "[email protected]" would be what's over looked. Log Files lack that ability to attribute which user did what. Having the ability of user attribution allows you to ask "Marissa" about this issues your self. If Marissa denies working with an EC2 instance that day, it could be a sign of her account being compromised.
I just work in a SOC and I am always looking for information on logs cause that a main part of our automated rule firing.
Never know when the business might go crazy with cloud! Haha
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit