How can you document security incidents identified through auditing and logging?

Logs are the key to identify the traces of the incidents , it includes and not limited to audit logs, if the server is going through attacks, you may have the logs on the security audit logs, for example if the server is going through brute force attacks, you may check logs and it will be having a list of all attempts , source ip and username as per the audit log, if you see the unauthorised id successful login attempt , it is a indicator of compromise. The same trace will be found on all the logs of the perimeter and that may include firewall 🔥 System may be connecting to or connected to malicious destination IPs , which may be abusing. System performance may be affected that includes performance issues on Network , memory ,CPU and Disk.

Documenting security incidents identified through auditing and logging involves creating detailed incident reports that capture pertinent information such as the date and time of the incident, affected systems or assets, nature of the incident, actions taken in response, and any remediation steps implemented. Include relevant logs, screenshots, and forensic evidence to support the incident analysis and investigation. Utilize standardized incident reporting templates and procedures to ensure consistency and completeness of documentation. Additionally, classify incidents based on severity levels to prioritize response efforts effectively. Regularly review and update incident documentation to facilitate post-incident analysis a

If a server is identified as compromised, the system owner to be notified and all appropriate actions to be completed for quarantine and that may include isolating the server from the network. Changing VLAN and blocking all outbound and inbound traffic. All evidences must be preserved for incident and server shouldn’t b powered off or rebooted and logs should not be tampered. If any account was used, the account may be suspended. If any vulnerability was exploited to compromise the server , it needs to be fixed and server hardening is needed and it could be temporary or permanent fix. As a part of incident response , all actions to be documented including timestamps, resources involved etc.

Forensic investigation may be needed and evidences need to be preserved. Expert forensic team may be used outside the organisation who has expertise in the forensic investigation and the forensic team may preserve all original evidences for law enforcement authorities or could be used as an admissible court evidence. Server logs should not tampered and root logins should be avoided to preserve the evidences as needed for forensic investigations.

Systems may be restored from backups after analysing completely and ensure it is restored from backup timestamp before to the actual compromise. Otherwise system may have a malware, compromised or modified cron job or a script etc . A complete fix to avoid the repeated attack using the same vulnerability that includes and not limited to applying patches and hardening of systems configuration, Additional firewall rule or improving IDS or IPS rules.

This could be used an opportunity to continuously improve the incident response process and that may include and not limited to - monitoring systems - hardening standards - additional training for the system administrators in security and hardening - a root cause analysis - what went wrong - how it could be improved.