You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This lab applies Governance, Risk, and Compliance (GRC) principles to the SOC lab environment built across Labs 01–14. Log sources generated throughout the lab series are mapped to NIST SP 800-53 controls, retention gaps are identified, and policy improvements are proposed. This lab bridges technical SOC work with compliance frameworks used in enterprise security programs.
Incident Ticket (ServiceNow Simulation)
Field
Details
Incident ID
INC-0015
Date/Time Detected
2026-04-26
Detected By
Eric Ellison — SOC Analyst
Severity
Low
Category
Governance, Risk & Compliance
Subcategory
Log Retention Policy Review
Short Description
Log retention gaps identified across SOC lab environment
Detailed Description
A review of log sources collected during Labs 01–14 revealed that SSH authentication logs generated on the Kali Linux VM are not ingested into the Elastic SIEM data stream (logs-system.auth-*). This gap was first identified in Lab 13 and confirmed in Lab 14. Additional retention gaps exist across network traffic captures stored locally in Wireshark without centralized archival.
IOCs
None — compliance review
Impact Assessment
Detection capability is reduced. SSH brute force attempts (Lab 13) generated no alerts due to missing log ingestion. Forensic investigation would be hindered without retained logs.
Ingest SSH auth logs into Elastic. Establish minimum 90-day retention for all log sources.
Status
Closed — Policy Proposed
Lab Objectives
Identify all log sources generated across Labs 01–14
Map each log source to relevant NIST SP 800-53 controls
Identify retention gaps
Propose a log retention policy
Environment Overview
Component
Details
Host OS
Windows
VM 1
Kali Linux
VM 2
Ubuntu 64-bit
Virtualization
VMware Workstation
SIEM
Elastic Cloud Serverless (GCP Iowa)
Packet Capture
Wireshark
Log Source Inventory
Log Source
Tool
Location
Retained?
Network packet captures (HTTP, DNS, TLS)
Wireshark
Local .pcap files
No — local only
SSH authentication logs
Linux systemd journal
/var/log/auth.log
No — not ingested into Elastic
Elastic Agent system logs
Elastic SIEM
logs-system.*
Yes
Port scan activity
Wireshark / Nmap
Local .pcap files
No — local only
Elastic detection rule alerts
Elastic SIEM
.alerts-*
Yes
NIST SP 800-53 Control Mapping
Log Source
NIST Control
Control Name
Gap Identified
SSH authentication logs
AU-2
Event Logging
Not ingested into SIEM
SSH authentication logs
AU-9
Protection of Audit Information
No centralized retention
Network packet captures
AU-2
Event Logging
Local only, no archival
Network packet captures
AU-11
Audit Record Retention
No defined retention period
Elastic SIEM alerts
AU-6
Audit Record Review
Partial — gaps in alert coverage
Elastic Agent system logs
AU-3
Content of Audit Records
Meets control
All log sources
AU-12
Audit Record Generation
SSH auth gap breaks this control
Detection Gap Analysis
The detection gap first documented in Lab 13 is a direct compliance finding:
Gap: SSH authentication logs from the Kali Linux systemd journal are not forwarded to the Elastic SIEM logs-system.auth-* data stream
Impact: NIST AU-2, AU-9, and AU-12 are not fully satisfied
Evidence: 10 consecutive SSH brute force attempts generated zero alerts in Elastic (Lab 13). Threat hunt in Lab 14 confirmed SSH auth logs absent from logs-* data view
Proposed Log Retention Policy
Policy Element
Requirement
Minimum retention period
90 days for all log sources
SSH authentication logs
Must be ingested into SIEM within 5 minutes of generation
Network packet captures
Must be archived to centralized storage, not stored locally
SIEM alert logs
Retained for minimum 1 year
Review frequency
Policy reviewed quarterly
Owner
SOC Analyst / Security Operations
Conclusions
3 of 5 log sources reviewed have retention gaps
SSH authentication logs represent the most critical gap — directly linked to a failed detection in Lab 13
NIST SP 800-53 controls AU-2, AU-9, AU-11, and AU-12 are not fully satisfied in the current environment
A defined retention policy with centralized log ingestion would close these gaps
Next Steps
Lab 16: Map the SSH brute force incident (Lab 13) to NIST Cybersecurity Framework and ISO 27001