WIXLIB

USER DATAAUTHENTICATIONDATAUse Cases: Security & Compliance, IT Operations, Application DeliveryExamples: Active Directory, LDAP, Identity Management,Single-Sign OnAuthentication data provides insight into users and identityactivity. Common authentication data sources include: Active Directory: a distributed directory in which organizations define user and group identities, security policies andcontent controls. LDAP: an open standard defined by the IETF and is typicallyused to provide user authentication (name and password).It has a flexible directory structure that can be used for avariety of information such as full name, phone numbers,email and physical addresses, organizational units, workgroupand manager. Identity Management: identity management is the methodof linking the users of digital resources—whether people, IoTdevices, systems or applications—to a verifiable online ID. Single Sign-On (SSO): a process of using federated identitymanagement to provide verifiable, attestable identities from asingle source to multiple systems. SSO significantly increasessecurity by tying user credentials to a single source, allowingchanges to user rights and account status to be made once,Use Cases:IT Ops & Application Delivery: Authentication data supportsIT operations teams as they troubleshoot issues related toauthentication. For example, application support can be tied tologins, enabling IT operations to see whether users are strugglingto log in to applications. For IT operations teams that supportActive Directory, logs can be used to troubleshoot and understandthe health of Active Directory.Security & Compliance: For security, authentication data providesa wealth of information about user activity, such as multiple loginfailures or successes to multiple hosts in a given time window,activities from different locations within a given amount of time,and brute force activities. Specifically: Active Directory domain controller logs contain informationregarding user accounts, such as privileged account activity,as well as the details on remote access, new account creationand expired account activity. LDAP logs include a record of who, when and where users login to a system and how information is accessed.and reflected in every application or service to which the user Identity Management data shows access rights by user, grouphas access. SSO is particularly important for users with elevat-and job title (e.g., CEO, supervisor or regular user). This dataed security rights such as system or network administratorscan be used to identify access anomalies that could be po-that have access to a large number of systems.tential threats—for example, the CEO accessing a low-levelnetworking device or a network admin accessing the CEO’saccount.89

USER DATAVIRTUAL PRIVATENETWORKS (VPN)Use Cases: Security & ComplianceExamples: Citrix NetScaler Nitro, Citrix NetScaler IPFIX, CiscoVirtual private networks (VPNs) are a way of building a secureextension of a private network over an insecure, public one. VPNscan be established either between networks, routing all trafficbetween two sites, or between a client device and a network.Network-to-network VPNs typically are created using strongcredentials such as certificates on each end of the connection.Client-to-network VPNs rely on user authentication, which canbe as simple as a username and password. VPNs use networktunneling protocols such as IPSec, OpenVPN plus SSL or L2TPwith cryptographically strong algorithms to scramble informationin transit and ensure end-to-end data integrity.Use Cases:Security & Compliance: VPN logs help in analyzing users comingonto the network. This information can be used in a numberof ways, including situational awareness, monitoring foreign IPsubnets, and compliance monitoring of browsers and applicationsof connected hosts. VPN data can also help identify: Activities from different locations, such as changes in locationwithin a given amount of time Access from risky countries or locations User sessions at odd times, such as late evenings or weekends User land speed violations Abnormal frequency of sessions based on each user profile1011

APPLICATION DATAANTIVIRUSUse Cases: Security & ComplianceExamples: Kaspersky, McAfee, Norton Security, F-Secure, Avira,Panda, Trend MicroThe weakest link in corporate security is an individual, andantivirus is one way to protect employees from performinginadvertently harmful actions. Whether it’s clicking on anuntrustworthy web link, downloading malicious software oropening a booby-trapped document (often one sent to them byan unsuspecting colleague), antivirus can often prevent, mitigateor reverse the damage.Use Cases:Security & Compliance: Antivirus logs support the analysisof malware and vulnerabilities of hosts, laptops and servers; andcan be used to monitor for suspicious file paths. This data canhelp identify: Newly detected binaries, file hash, files in the filesystemSo-called advanced persistent threats (APTs) often enter througha single compromised machine attached to a trusted network.While not perfect, antivirus software can recognize and thwartcommon attack methods before they can spread.and registries When binaries, hash or registries match threat intelligence Unpatched operating systems Known malware signatures1213

APPLICATION DATAAPMTOOL LOGSUse Cases: IT Operations, Application Delivery, Security & ComplianceExamples: Dynatrace, New Relic, App Dynamics, MMSoft Pulseway,LogicMonitor, Stackify, Idera, IpswitchApplication Performance Management (APM) software providesend-to-end measurement of complex, multi-tier applications toprovide performance metrics from an end user’s perspective.APM logs also provide event traces and diagnostic data that canassist developers in identifying performance bottlenecks or errorconditions. The data from APM software provides both a baselineof typical application performance and a record of anomalousbehavior or performance degradation. Carefully monitoringAPM logs can provide an early warning to application problemsand allow IT and developers to remediate issues before usersexperience significant degradation or disruption. APM logs alsoare required to perform post-hoc forensic analysis of complexapplication problems that may involve subtle interactions betweenmultiple machines, network devices or both.14Use Cases:IT Ops & Application Delivery: By providing end-to-endmeasurement of complex, multi-tier applications, APM logs canshow infrastructure problems and bottlenecks that aren’t visiblewhen looking at each system individually, such as slow DNSresolution causing a complex web app to bog down as it tries toaccess content and modules on many different systems.Security & Compliance: Security teams can use APM logs toperform post-hoc forensic analysis of incidents that span multiplesystems and exploit vulnerabilities. The data can be used tocorrelate security indications between the system and applicationactivities. It also helps to identify SQL/API calls/CMD made inrelation to suspicious activity, or abnormal amounts of sessions orCPU load in relation to security activity.15

APPLICATION DATACUSTOM APPLICATION& DEBUG LOGSUse Cases: IT Operations, Application Delivery, Security & ComplianceExamples: Custom applicationsBest practices for application developers require the inclusion ofdebugging code in applications that can be enabled to provideminute details of application state, variables and error conditionsor exceptions. Debug output is typically logged for later analysisthat can expose the cause of application crashes, memory leaks,performance degradation and security holes. Furthermore, sincethe events causing a security or performance problem may bespaced over time, logs—along with the problem software—canhelp correlate and trace temporally separated errors to show howthey contribute to a larger problem.Application debug logs provide a record of program behaviorthat is necessary to identify and fix software defects, securityvulnerabilities or performance bottlenecks. While test logs recordthe output results of application usage, debug logs provideinformation about an application’s internal state, including thecontents of variables, memory buffers and registers; a detailedrecord of API calls; and even a step-by-step trace through aparticular module or subroutine. Due to the performance overheadand amount of data produced, debug logs typically are enabledonly when a problem can’t be identified via test or event logs.16Use Cases:IT Ops & Application Delivery: Debug output can exposeapplication behavior that causes inefficient use of systemresources or application failures that can be addressed bydevelopers and operations teams. Debug output is useful forunraveling the internal state of an application that exhibitsperformance problems or has been shown to have securityvulnerabilities, and the data can be helpful in identifyingroot causeSecurity & Compliance: Security breaches are often the result ofimproper handling of unexpected inputs, such as buffer overflowexploits or data injection used in cross-site scripting attacks.This type of low-level vulnerability is almost impossible to detectwithout logging the internal state of various application variablesand buffers.Similar to APM logs, custom application and debug logs can beused to correlate security indications between the system andapplication activities. It also helps to identify SQL/API calls/CMDmade in relation to suspicious activity, or abnormal amounts ofsessions or CPU load in relation to security activity.17

APPLICATION DATACRM, ERP AND OTHERBUSINESS APPLICATIONSUse Cases: Application Delivery, Security & Compliance, Business Analytics, IoTExamples: SAP, SFDC, SugarCRM, Oracle, Microsoft DynamicsBusiness Applications can create a wealth of data as part ofnormal operations. Two examples are CRM and ERP applications: Customer relationship management (CRM) systems havebecome an essential part of every organization, providing acentral database of all customer contact information, communications and transaction details. CRM systems have evolvedfrom simple contact management systems to platforms forcustomer support and engagement by providing personalizedsales and support information. The same customer supportdata repository can be used to develop customized marketingmessages and sales promotions. CRM systems are also usefulfor application support and enhancement by recording detailsabout customer problems with a particular system or application along with their eventual solution—details that can informfuture application or service updates. Enterprise resource planning (ERP) applications are a criticalback-office IT service that provides systematic, automatedcollection and analysis of a variety of product, supply chainand logistics data. ERP is used in product planning, trackingpurchases of components and supplies, inventory management, monitoring and regulating manufacturing processes,managing logistics, warehouse inventory and shipping and tomonitor and measure the effectiveness of sales and marketing campaigns. ERP software also integrates with CRM, HR,finance/accounting/payroll and asset management systems,with bidirectional data flows that provide consistent informa18tion across back-end digital business processes. ERP systemsare typically built on a relational database management system with a variety of modules and customizations for specificfunctions such as supplier relationship management or supplychain management. Due to their complexity, ERP systemsoften are installed and managed by product specialists.Use Cases:Application Delivery: CRM databases can provide a completerecord of all information and events leading up to a customerescalation. When combined with other data sources, CRM canprovide indicators of deeper issues.Like other application records, ERP logs are necessary whendebugging performance and reliability problems due tothe complex interactions between many systems in an ERPimplementation. Logs are also useful in capacity planning.Security & Compliance: CRM records can help security teamsunravel incidents that involve multiple customers and problemepisodes over a long time span. They can also provide evidenceof a breach, should records be modified outside normal businessprocesses. In addition, the data can be used to audit accessrecords of customer or internal user information.Business Analytics & IoT: CRM and ERP data is a crucial source ofreferential and transactional data that helps drive much neededcontext to machine data in business use cases. For instance, whencombined with point-of-sale data and mobile application datafrom loyalty applications, retailers can drive real-time 1:1 targetedmarketing campaigns, and then use machine learning to predict19customer purchasing behavior and revenue trends.

APPLICATION DATACODEMANAGEMENTUse Cases: Application DeliveryFor all but the most trivial implementations, application sourcecode is comprised of dozens if not hundreds of interrelated files.The complexity and volatility of code—particularly when usingagile development methodologies and changes are made daily—makes keeping track of it virtually impossible without a structured,automated source code management and revision control system.Use Cases:Application Delivery: The version records of code managementcan help IT operations teams identify application changes that arecausing system problems, such as excessive resource consumptionor interference with other applications.Originally built as client-server applications where developerschecked in code to a central repository, today’s systems (suchas Git) are often distributed, with each developer working froma local copy of the full repository and changes synchronizedacross all subscribers to a particular project. Code managementsystems provide revision control (the ability to back out changesto an earlier version), software build automation, configurationstatus records and reporting, and the ability to branch or fork allor part of a source-code tree into a separate subproject with itsown versioning.2021

APPLICATION DATAVULNERABILITYSCANNINGUse Cases: Security & ComplianceExamples: ncircle IP360, NessusAn effective way to find security holes is to examine infrastructurefrom the attacker’s point of view. Vulnerability scans probe anorganization’s network for known software defects that provideentry points for external agents. These scans yield data aboutopen ports and IP addresses that can be used by malicious agentsto gain entry to a particular system or entire network.Use Cases:Systems often keep network services running by default, evenwhen they aren’t required for a particular server. These running,unmonitored services are a common means of external attack,as they may not be patched with the latest OS security updates.Broadscale vulnerability scans can reveal security holes that couldbe leveraged to access an entire enterprise network. System misconfiguration causing security vulnerabilitySecurity & Compliance: Vulnerability scans yield data about openports and IP addresses that can be used by malicious agents togain entry to a particular system or entire network. The data canused to identify: Outdated patches Unnecessary network service ports Misconfigured filesystems, users or applications Changes in system configuration Changes in various user, app or filesystem permissions2223

APPLICATION DATAMAILSERVERUse Cases: IT Operations, Security & ComplianceExamples: Exchange, Office 365Email remains the primary form of formal communication inmost organizations. As such, mail server databases and logs aresome of the most important business records. Due to their sizeand tendency to grow without bounds, email data managementtypically requires both data retention and archival policies so thatonly important records are held and inactive data is moved to lowcost storage.Use Cases:IT Ops: Email messages and activity logs can be required tomaintain compliance with an organization’s information security,retention and regulatory compliance processes. Mail servertransaction and error logs also are essential debugging tools for ITproblem resolution and also may be used for usage-based billing.Security & Compliance: Mail server data can help identifymalicious attachments, malicious domain links and redirects,emails from known malicious domains, and emails from unknowndomains. It can also be used to identify emails with abnormal orexcessive message sizes, and abnormal email activities times.2425

APPLICATION DATATEST COVERAGETOOLSUse Cases: Application Delivery & DevOpsExamples: Static Analysis & Unit Testing logs (SonarQube, Tox, PyTest, RubyGemMiniTest, Bacon, Go Testing), build server logs and performance metricsTypical test coverage includes functional, statement, branchand conditional coverage. The idea is to match what percentageof code can be exercised by a test suite of one or morecoverage criteria. Coverage tests are usually defined by rule orrequirements. In addition to coverage testing, software deliveryteams can utilize machine data to understand the line count, codedensity and technical debt.Use Cases:Application Delivery and DevOps: Test coverage datamonitoring helps release managers, application owners andothers understand: How much technical debt and issues are they resolving? How ready is their next release? From unit testing – how many tests were performed perhour and what tests are being run?If test coverage data is combined with build data, releasemanagers can start monitoring build and release performance andstart understanding the release quality. They can understand thetrends in error percentage and make decisions on if the build isready for production. Understanding code quality can also helpsupport teams get prepared for any additional volume of calls orany particular issues that may arise.2627

APPLICATION DATAAUTOMATION, CONFIGURATION,DEPLOYMENT TOOLS (PLATFORMS)Use Cases: Application Delivery & DevOpsExamples: Puppet Enterprise, Ansible Tower, Chef, SaltStack, Rundeck,machine data ingested through APIs, webhooks or run logsAutomated configuration and deployment tools, also knownas “infrastruct

Active Directory: a distributed directory in which organiza-tions define user and group identities, security policies and content controls. LDAP: an open standard defined by the IETF and is typically used to provide user authentication (name and password). It has a flexible directory structure that can be used for a DATA