Broke into general log use cases + security use cases.

[adamshostack]

Brought in a few things that were more clear in the old cs, and did some refactoring. https://wiki.owasp.org/index.php?title=Error_Handling,_Auditing_and_Logging

You're A Rockstar

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #<REPLACE WITH ISSUE NUMBER>.

Thank you again for your contribution 😃

[szh]

LGTM

[kwwall]

Will leave it to you if you want to address the minor punctuation nits that I brought up, but I approve even without those being addressed.

[kwwall]

Seems like some additional punctuation would be useful here. E.g.,

Business process monitoring; e.g. - sales process abandonment, transactions, connections

[kwwall]

Ditto in this case as well.

[adamshostack]

no argument - if you go in to make the change re alert vs investigations, do you want to roll these into that change?

[kwwall]

At this moment of time, I am not that ambitious. And I think what you have is fine.

[kwwall]

After 25+ years of me working in AppSec with CIRT and/or DFIR teams, I've observed that the CIRT / DFIR teams tend to split the log messages for security use cases into 2 main camps. One are log messages that they will use to trigger alerts (often combined with thresholds), and the other type are log events that is used as forensic evidence which they generally ignore until they open an investigation into a potential breach.

This division referenced here seems to be alluding to that. I'm not saying that we ought to provide more detail here, but was just curious if anyone else had had ever made similar observations.

[adamshostack]

I haven't seen this, but I think from an advice perspective something like "Ask yourself 'is this a message someone will use to trigger an action, or as part of a larger investigation'?"

[kwwall]

This is like the forensics use that I previously mentioned.

[adamshostack]

Agreed

[kwwall]

This could take up a cheat-sheet topic just on it's own. While it is not easy to achieve, the difficulty varies depending on your specific goals. It also need not require dsigs (e.g., recording logs to a WORM drive doesn't require that.) The bigger question is whether a business would consider this of something of value. To answer that, I think you need to consider it from a cost-benefit perspective and then do a threat model to decide what level of assurance of non-repudiation are you trying to achieve in like of the surfaced threats. That seems just the type of thing that fits in @adamshostack's wheelhouse. 😄