All logs are not created equal. Common logs from servers and firewalls are fairly easily ingested and parsed, while DNS or physical security logs are much tougher to manage at scale, and block visibility into the security environment. The challenging logs are more likely to be skipped: According to a 451 Research survey of 150 large enterprises, security information and event management (SIEM) platforms only ingest logs from about 45% of their organizations’ log-producing systems.
But whether logs are a slam-dunk to ingest or demand more time and attention, security teams should consider logging often-overlooked sources that are valuable for threat hunting exercises. Here are five log sources that deserve a second look, along with suggestions for maneuvering around the challenges.