Skip to content

RouteToRoot/soc-lab-15-log-retention-policy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
 
 

Repository files navigation

SOC Lab 15 — GRC: Log Retention Policy

Executive Summary

This lab applies Governance, Risk, and Compliance (GRC) principles to the SOC lab environment built across Labs 01–14. Log sources generated throughout the lab series are mapped to NIST SP 800-53 controls, retention gaps are identified, and policy improvements are proposed. This lab bridges technical SOC work with compliance frameworks used in enterprise security programs.


Incident Ticket (ServiceNow Simulation)

Field Details
Incident ID INC-0015
Date/Time Detected 2026-04-26
Detected By Eric Ellison — SOC Analyst
Severity Low
Category Governance, Risk & Compliance
Subcategory Log Retention Policy Review
Short Description Log retention gaps identified across SOC lab environment
Detailed Description A review of log sources collected during Labs 01–14 revealed that SSH authentication logs generated on the Kali Linux VM are not ingested into the Elastic SIEM data stream (logs-system.auth-*). This gap was first identified in Lab 13 and confirmed in Lab 14. Additional retention gaps exist across network traffic captures stored locally in Wireshark without centralized archival.
IOCs None — compliance review
Impact Assessment Detection capability is reduced. SSH brute force attempts (Lab 13) generated no alerts due to missing log ingestion. Forensic investigation would be hindered without retained logs.
Response Actions Taken Log sources mapped to NIST SP 800-53 controls. Gaps documented. Retention policy proposed.
Recommended Actions Ingest SSH auth logs into Elastic. Establish minimum 90-day retention for all log sources.
Status Closed — Policy Proposed

Lab Objectives

  • Identify all log sources generated across Labs 01–14
  • Map each log source to relevant NIST SP 800-53 controls
  • Identify retention gaps
  • Propose a log retention policy

Environment Overview

Component Details
Host OS Windows
VM 1 Kali Linux
VM 2 Ubuntu 64-bit
Virtualization VMware Workstation
SIEM Elastic Cloud Serverless (GCP Iowa)
Packet Capture Wireshark

Log Source Inventory

Log Source Tool Location Retained?
Network packet captures (HTTP, DNS, TLS) Wireshark Local .pcap files No — local only
SSH authentication logs Linux systemd journal /var/log/auth.log No — not ingested into Elastic
Elastic Agent system logs Elastic SIEM logs-system.* Yes
Port scan activity Wireshark / Nmap Local .pcap files No — local only
Elastic detection rule alerts Elastic SIEM .alerts-* Yes

NIST SP 800-53 Control Mapping

Log Source NIST Control Control Name Gap Identified
SSH authentication logs AU-2 Event Logging Not ingested into SIEM
SSH authentication logs AU-9 Protection of Audit Information No centralized retention
Network packet captures AU-2 Event Logging Local only, no archival
Network packet captures AU-11 Audit Record Retention No defined retention period
Elastic SIEM alerts AU-6 Audit Record Review Partial — gaps in alert coverage
Elastic Agent system logs AU-3 Content of Audit Records Meets control
All log sources AU-12 Audit Record Generation SSH auth gap breaks this control

Detection Gap Analysis

The detection gap first documented in Lab 13 is a direct compliance finding:

  • Gap: SSH authentication logs from the Kali Linux systemd journal are not forwarded to the Elastic SIEM logs-system.auth-* data stream
  • Impact: NIST AU-2, AU-9, and AU-12 are not fully satisfied
  • Evidence: 10 consecutive SSH brute force attempts generated zero alerts in Elastic (Lab 13). Threat hunt in Lab 14 confirmed SSH auth logs absent from logs-* data view

Proposed Log Retention Policy

Policy Element Requirement
Minimum retention period 90 days for all log sources
SSH authentication logs Must be ingested into SIEM within 5 minutes of generation
Network packet captures Must be archived to centralized storage, not stored locally
SIEM alert logs Retained for minimum 1 year
Review frequency Policy reviewed quarterly
Owner SOC Analyst / Security Operations

Conclusions

  • 3 of 5 log sources reviewed have retention gaps
  • SSH authentication logs represent the most critical gap — directly linked to a failed detection in Lab 13
  • NIST SP 800-53 controls AU-2, AU-9, AU-11, and AU-12 are not fully satisfied in the current environment
  • A defined retention policy with centralized log ingestion would close these gaps

Next Steps

  • Lab 16: Map the SSH brute force incident (Lab 13) to NIST Cybersecurity Framework and ISO 27001
  • Remediate SSH log ingestion gap in Elastic

About

SOC Lab 15 — GRC: Log Retention Policy | Mapping SOC logs to NIST SP 800-53 controls and identifying retention gaps

Topics

Resources

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors