@infosec_james this calling - all that remains. The first part of it will certainly wake someone up

@itisiboller thanks for the dialogue! 🙇‍♂️

@itisiboller there’s also a disconnect I’m seeing with what the team says is “important” and what the broader org says is “important”. Team has a smaller view of “important” than the org. Misalignment. Even though incidents and ops show that they are missing critical log sources.

@itisiboller totally agree with pacing and what not. And even the point about pulling in logs from the things that “matter”. Struggling with the whole “we only think these 5 things matter” when there’s evidence to indicate that’s not the limit of “importance” and why a team would refuse to pull in logs for those other things.

@itisiboller this is a totally logical thought, but isn’t that a chicken/egg problem? If you don’t have logs how will you know if there was a high fidelity event?

What I find strange about this is the response I get which is “we can get the logs from the application admin”. I’ve seen this play out in the incidents and it means you’re increasing the number of people in the know, they are slow to respond, maybe the platform doesn’t have logs going far back enough, etc.

Have any of you ever worked at a place where the SOC has said they don’t care to ingest logs for everything in the environment (including SaaS apps), but only a finite amount of apps. Let’s assume cost isn’t an issue for a moment. I find this strange… looking for some additional opinions/thoughts.

@Oreoshake any update? Trying to lock in training/conference budget

@Nerdpyle Darby and Indy pix nao plz. Also any fosters too