Managed Detection & Response (MDR)

Log-Data MDR

  • May 9, 2025
  • 0

Sherlocked Security – Log-Data MDR

Managed Detection & Response powered by log telemetry, analytics, and threat intelligence

1. Statement of Work (SOW)

Service Name: Log-Data MDR
Client Type: All verticals – Enterprise, Finance, SaaS, Healthcare, Government
Service Model: 24×7 Monitoring via Logs, Fully Managed or Co-Managed
Compliance Alignment: PCI-DSS, HIPAA, SOC 2, ISO 27001, NIST 800-53, CJIS, GDPR

Scope of Work Includes:

  • Centralized ingestion and normalization of security logs
  • Detection engineering across diverse log sources
  • Threat hunting and investigation from enriched logs
  • 24/7 SOC alerting and triage based on log telemetry
  • Correlation across identity, network, endpoint, and cloud activity
  • Threat intelligence enrichment and indicator matching
  • Response playbooks and integration with SOAR tools
  • Compliance alerting and audit-ready log storage

2. Our Approach

[Log Onboarding] → [Detection Content & Parsing] → [Alerting & Threat Intel] → [Triage & Investigation] → [Response & Remediation] → [Continuous Content Improvement]

3. Methodology

  • Log Source Inventory: Identify and validate all relevant log-producing systems
  • Parser Development: Normalize logs using schemas (e.g., ECS, CEF, LEEF)
  • Detection Rules: Write custom detections (Sigma, SPL, KQL, Lucene, etc.)
  • Enrichment: Add geo-IP, user context, asset criticality, and threat intel
  • Triage: Prioritize alerts based on severity, context, and correlation
  • Investigation: Use timelines, session stitching, and IOC backtracking
  • Response: Initiate SOAR-based or manual containment actions
  • Reporting: Monthly and on-demand dashboards, risk reports, and incident summaries

4. Deliverables

  • Log Onboarding Documentation
  • Detection Rule Inventory & Logic
  • Daily/Weekly SOC Alert Digest
  • Security Event Investigation Reports
  • Incident Reports with IOC Maps
  • Compliance Log Retention and Access Reports
  • Monthly Threat Detection and Risk Posture Dashboards

5. Client Requirements

  • Access to log-producing infrastructure (firewalls, endpoints, cloud, etc.)
  • SIEM or log forwarding capability (agent or API)
  • Whitelist of destination IPs/domains for log shipping
  • Secure credentials/API keys for log collection
  • Contact points for alert escalation and IR coordination
  • Defined retention and compliance requirements
  • Scope of detections: full coverage vs high-priority assets only

6. Tooling Stack

  • SIEMs: Splunk, Microsoft Sentinel, QRadar, Elastic, Chronicle, Sumo Logic
  • Log Pipelines: Logstash, Fluentd, Cribl, Beats, Azure Log Analytics
  • Detection Tools: Sigma Rules, KQL, SPL, YARA-L, Lucene, custom regex
  • Threat Intel: MISP, Recorded Future, AlienVault OTX, GreyNoise, VirusTotal
  • SOAR: Cortex XSOAR, Tines, Swimlane, Microsoft Sentinel Automation
  • Visualization: Kibana, Grafana, Power BI, Sigma Dashboards

7. Engagement Lifecycle

  1. Asset and Log Source Scoping
  2. Collector Deployment and Log Onboarding
  3. Parser Validation and Normalization
  4. Detection Logic Deployment
  5. Threat Intel and Contextual Alerting
  6. Alert Triage and Analyst Investigation
  7. Response and Notification
  8. Metrics, Reporting, and Continuous Rule Tuning

8. Why Sherlocked Security?

Feature Sherlocked Advantage
Log-Centric Threat Focus Tailored detections based on actual log telemetry
Cross-Platform Coverage Support for endpoint, cloud, app, IAM, and network logs in a single view
Threat Intelligence Feeds Real-time IOC matching and external threat context
Parser & Detection Experts Custom log format handling, rule writing, and enrichment logic
Compliance-Ready Setup Retention, access logs, and alerting aligned with audits and regulatory needs

9. Case Study

Detection of Credential Stuffing Across Federated Apps

Client: SaaS Provider (Fintech)
Event: High volume of failed logins with low entropy usernames
Tool Used: Chronicle SIEM + custom Sigma rule + GreyNoise correlation
Action Taken: Blocked IPs via SOAR, enforced 2FA, informed impacted users
Result: 98% drop in brute attempts, detection logic added to production pipelines

10. Standard Operating Procedure (SOP)

  1. Identify all log-producing assets by class (network, cloud, identity, endpoint)
  2. Deploy collectors or configure native logging exports (e.g., AWS CloudTrail, Sysmon)
  3. Normalize logs to standard format (ECS, CEF, LEEF, JSON)
  4. Map log fields to detection framework schemas (Sigma, MITRE ATT&CK)
  5. Apply alert thresholds, exclusions, and detection logic
  6. Review alerts daily, triage, enrich with context
  7. Notify client with response recommendations
  8. Store logs in compliant, tamper-proof storage
  9. Test detection efficacy monthly via simulations
  10. Tune noisy or redundant rules continuously

11. Readiness Checklist

Pre-Deployment

  • [ ] Log source inventory complete (firewalls, servers, AD, cloud, SaaS, endpoints)
  • [ ] Permissions provided to access or forward logs
  • [ ] SIEM or log pipeline destination defined
  • [ ] Collector agents or forwarding methods approved
  • [ ] API access or shared credentials established securely
  • [ ] Logging format confirmed per source (e.g., JSON, Syslog, XML, CEF)
  • [ ] Retention and compliance window defined (30d, 90d, 1yr+)
  • [ ] Contact list and escalation procedures provided
  • [ ] Log noise reduction rules (e.g., health checks, heartbeat suppression) defined

During Monitoring

  • [ ] Log events parsed correctly with field mapping validated
  • [ ] Alert thresholds and correlation rules operational
  • [ ] Detection logic documented and categorized (TTP, anomaly, IOC-based)
  • [ ] High-fidelity alerts escalated in <15 mins
  • [ ] Threat intel enrichment (domain/IP/user reputation) applied
  • [ ] Daily alert digest or ticket-based workflow operational
  • [ ] Integration with ticketing/notification platforms (Slack, Jira, PagerDuty)
  • [ ] Anomaly and trend dashboards available
  • [ ] Unauthorized access and privilege misuse alerts active
  • [ ] Compliance alerts (e.g., log deletions, failed audit checks) enabled

Post-Incident

  • [ ] Full log trail of event preserved and shared
  • [ ] Incident timeline and attacker TTP documented
  • [ ] Account, IP, domain, file hashes added to watchlists
  • [ ] Detection logic adjusted for missed indicators
  • [ ] Root cause and control gap identified
  • [ ] Postmortem shared with stakeholders
  • [ ] Compliance or breach reporting (if required) completed
  • [ ] Metrics like MTTD, MTTR updated

Continuous Improvement

  • [ ] Monthly detection rule reviews and tuning
  • [ ] Add new log sources as environment changes
  • [ ] Simulate attacks quarterly to validate detections
  • [ ] Enrich rules with updated threat intel
  • [ ] Incorporate new MITRE ATT&CK techniques and sub-techniques
  • [ ] Improve log tagging (e.g., business impact, location, asset class)
  • [ ] Validate log completeness and timestamp accuracy
  • [ ] Cross-correlate logs from multiple domains (e.g., identity + endpoint)
Wireless Security & Rogue Access Point (AP) Detection
24x7 SOC as a Service