When deciding which logs to collect and feed into Blumira for threat detection & response, the main factor is this: what are the critical components of your network? What are the critical components of your business? These data sources MUST be given top priority. There are some systems critical to any enterprise, for instance:
Your next-gen firewall and IPS. Collecting and analyzing your Firewall & IPS logs are a proactive way to detect attempted invasions before they materialize, and take corrective action. In cases where the attack has been successful, you need to know about it as quickly as possible.
Your Endpoints/Advanced Endpoint Security Solutions. These logs can provide greater visibility to detect advanced attacks and insider threats via real time endpoint monitoring.
Your Domain Controller. This is important as it will allow you to view and analyze the actions of users’ network activity. Suspicious activity can then be detected and halted.