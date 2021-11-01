2. List what needs to be logged and how it needs to be monitored

Based on your goals, determine what metadata needs to be captured and what events need to be logged. Some examples of metadata and events to be logged and why include:

PII/PHI transactions to be HIPAA compliant

Financial transactions to be PCI DSS complaint

Authentication attempts to a server (successful and failed logins, password changes)

Commands executed on a server

Queries (especially DML queries) executed on a database

Infrastructure administrators and security teams should collaborate to build an effective logging and monitoring program that collects traditional operational metrics and can analyze them to mitigate attacks. Alerts on certain events, such as multiple failed login attempts or weekly notifications on commands executed on a server, can be set up to monitor these events. It is also important to work with application teams to understand what the different attributes of a log entry mean. Once you have a baseline for normal operations, you can configure correlation rules, aggregations, thresholds, and alerts to be triggered for any anomaly based on the security risk profile for the application. For example, every log entry should have at least the following: