CAF – C1.a Sources and Tools for Logging and Monitoring

Structured Approach to Logging and Monitoring

• A structured approach to logging and monitoring should be in place to ensure security events that may impact managed services are identified promptly.
  Monitoring should be based on:

  • an understanding of client environments

  • common threat actor behaviours

  • the logs required to detect malicious or abnormal activity

• Logging and monitoring requirements should be defined in an Event Logging and System Monitoring Policy.

Monitoring Sources and Tools

• Monitoring should typically include:

  • Host-level telemetry (e.g. EDR tools such as Defender for Business, SentinelOne, Huntress)

  • Network monitoring (e.g. N-able, Datto)

  • Identity and access logs (e.g. Microsoft 365 / Azure AD)

  • Endpoint and server event logs

  • Security alerts from AV/EDR, firewalls and email security tools

• New systems or tools brought into scope should be reviewed to ensure their logs are captured appropriately.

Log Integrity and Correlation

• Log timestamps should be synchronised to a reliable time source where supported, enabling effective correlation across datasets.

• Log data should be enriched with additional context where available (e.g. identity information, device details, network metadata).

Using Monitoring Tools Effectively

• Monitoring tools should be used to identify:

  • suspicious behaviour

  • policy violations

  • deviations from normal user or system activity

• Alerts should be generated using configured rules, with thresholds reviewed periodically and after significant incidents.

Regular Review of Monitoring Strategy

The tools and data sources used for monitoring should be reviewed regularly to ensure they remain effective and aligned with:

• emerging threats

• new client systems

• changes in technology.