Alerting and Monitoring Activities

(OBJ .)

Alerting/Monitoring range of activities

Alerting and monitoring utilizes a wide range of activities

• Log Aggregation
  • Collects and consolidates log data from various sources into a central location
  • Aids in troubleshooting, performance monitoring, security analysis, and compliance
  • Provides a holistic view of system events for identifying issues and correlations
  • Vital for maintaining system health and analyzing performance trends
  • Used for
    • Detecting security incidents
    • Investigating breaches
    • Gathering evidence
• Alerting
  • Involves setting up notifications for specific events or conditions
  • Alerts can be triggered based on thresholds or anomalies
  • Critical for proactive issue resolution, incident detection, and regulatory compliance
  • Delivered through various channels, such as email, SMS, or push notifications
• Scanning
  • Regularly examines systems, networks, or applications to identify vulnerabilities, misconfigurations, and issues
  • Includes the following
    • Vulnerability scanning
      • Checks for vulnerabilities in systems, networks, or applications
      • Compares system’s state against a database of known vulnerabilities
    • Configuration scanning
      • Checks for misconfigurations that could impact system performance or security
      • Deviations are flagged for administrative review
    • Code scanning
      • Checks the source code of an application for potential issues, such as security vulnerabilities or coding errors
  • Utilizes tools like Nessus, OpenVAS, and Qualys
  • Helps maintain system health, security, and optimal performance
• Reporting
  • Generates summaries or detailed reports based on collected and analyzed data
  • Provides insights into system performance, security incidents, compliance status, and more
  • Essential for compliance reporting and continuous improvement
• Archiving
  • Involves long-term storage of data, including
    • Log data
    • Performance data
    • Incident data
  • Ensures data is retained for future reference, analysis, auditing, or compliance
  • Important for legal and regulatory requirements
  • Can be achieved using cloud storage solutions like Amazon S3 or Google Cloud Storage
• Alert Response and Remediation/Validation
  • Managing and resolving identified issues based on alerts or scans
  • Begin by taking appropriate actions such as
    • Investigating
    • Escalating
    • Initiating
  • Initial response may include investigation, escalation, or predefined procedures
  • Remediation
    • involves taking steps to address vulnerabilities or issues, such as patching or reconfiguration
  • Validation
    • verifies that remediation efforts were successful in addressing the identified problems

Quarantining

• Isolates a system, network, or application suspected of being compromised
• Prevents the spread of threats and limits potential impact
• Commonly used when dealing with malware infections

Alert Tuning

• Adjusts alert parameters to reduce errors, false positives, and improve alert relevance
• Can involve changing alert thresholds, conditions, or delivery methods
• Helps minimize excessive alerts and noise, making alerts more actionable