Endpoint Logs
Endpoint log records security-related events generated by host-based malware and intrusion detection agents.
- include
- host-based firewalls and intrusion detection
- vulnerability scanners
- and antivirus/antimalware protection suites
- security tools can be directly integrated with a SIEM using agent-based software
- Summarizing events from endpoint protection logs can show overall threat levels
- e.g.,
- amount of malware detected
- number of host intrusion detection events
- and numbers of hosts with missing patches
- e.g.,
- Close analysis of detection events can assist with:
- attributing intrusion events to a specific actor
- developing threat intelligence of tactics, techniques, and procedures
- Vulnerability scans can be configured to log each vulnerability detected to a SIEM
- can include
- missing patches
- noncompliance with a baseline security configuration
- SIEM can retrieve a list of these logs for each host
- provide useful information about whether a host is properly configured
- can include