This post walks through a practical, hands-on approach to configuring a Security Information and Event Management (SIEM) system to satisfy Essential Cybersecurity Controls (ECC – 2 : 2024) Control 2-12-2 for event logs and monitoring management — with clear steps, technical details, and small-business examples you can apply immediately.
Understand the Requirement and Key Objectives
ECC 2-12-2 expects organizations to collect, retain, and monitor security-relevant logs so that suspicious activity can be detected, investigated, and reported. Your objectives are: (1) ensure coverage of critical log sources (authentication, network devices, endpoints, cloud services), (2) guarantee integrity, timestamp accuracy, and secure transport of logs, (3) implement normalization and correlation for actionable alerts, and (4) retain and make logs available for audit/forensic review per Compliance Framework policies.
Preparation and design: inventory, retention and sizing
Start with an inventory: list servers, endpoints, network devices (firewalls, VPNs, switches), cloud services (Office365, Azure AD), and application logs (web servers, databases, HR systems). For a small business (≈50 employees) example: 50 endpoints, 1 domain controller, 1 firewall, 1 VPN, Office365, and 2 web servers. Estimate daily events: endpoints 5–200 events/day depending on agent verbosity; infrastructure devices 1k–10k/day. Use a simple sizing calc: total_events_per_day × avg_event_size (e.g., 1 KB) → daily storage; multiply by retention (e.g., 365 days) to estimate long-term storage. Also define retention by policy (e.g., 90 days hot, 1 year warm, 3+ years archived) and backup rules to meet Compliance Framework requirements.
Collector and transport: reliable, secure ingestion
Design collectors and transport before enabling high-volume logging. Use standardized transports and formats: syslog (UDP 514 for legacy, prefer TCP 514 or TLS 6514), CEF or LEEF for device normalization, and JSON for modern cloud sources. For Windows, use Winlogbeat, NXLog, or native Windows Event Forwarding (WEF) to forward to the collector; for Office365/Azure use API ingestion or dedicated collectors. Enforce time sync (NTP) across systems to ensure accurate timestamps. Example configs: configure firewall to send syslog over TCP/TLS to your SIEM collector IP, deploy Winlogbeat to domain-joined endpoints for event IDs 4624/4625/4672/4688, and enable API pulls for Office365 audit logs with a service account. Always encrypt transport in transit and restrict collector endpoints by IP and mutual TLS where supported.
Parsing, normalization and detection rules
Normalization converts vendor-specific fields to a consistent schema (timestamp, src_ip, dst_ip, username, event_type, event_id, severity). Map common fields and ensure the SIEM parses key Windows Event IDs (logon/logoff, privilege use, service creation), firewall accept/deny, VPN connect/disconnect, DNS anomalies, and EDR alerts. Create correlation rules for high-value detection: example rules for a small business — "More than 5 failed RDP logons for same account across 5 minutes" (brute force), "New local admin created on workstation" (privilege escalation), "Endpoint EDR alerts + outbound anomalous DNS" (possible ransomware). Provide example pseudocode: if (failed_logons(account) > 5 within 5 minutes AND source_ip not in allowlist) then alert severity HIGH. Tune thresholds to local baseline to reduce false positives.
Alerting, workflows and operational tuning
Define alert categories (informational, low, medium, high, critical), and map each to an action: auto-ticket for medium+, phone/SMS for critical. Integrate SIEM with your ticketing system (Jira, ServiceNow, or a small-business tool like Freshservice). For each alert create a runbook that lists immediate steps: contact owner, isolate host, collect forensic images, preserve logs. Perform weekly or bi-weekly tuning: review top alerts, adjust thresholds, disable noisy rules, whitelist known benign sources. Enrich alerts with context (asset owner, business criticality, geolocation) so responders know priority and expected impact without manual lookups.
Compliance, retention, and the risk of not implementing
Implement access controls: limit who can search or export logs, enforce role-based access, and enable audit logs of SIEM activities. Secure stored logs with encryption-at-rest and immutable storage for at least the minimum retention required by Compliance Framework; for many small organizations 1–3 years is common, but check sector-specific rules. The risk of not implementing ECC 2-12-2 is significant: missed compromise indicators (delayed breach detection), inability to perform forensic investigations, failed audits, regulatory penalty exposure, and extended business disruption. For example, if your firewall and domain controller logs are not collected you may not detect lateral movement during an intrusion until customer data is exfiltrated.
Compliance tips, real-world small-business scenarios and best practices
Practical tips: 1) Prioritize high-value logs first: AD auths, firewall, VPN, EDR, cloud audit logs — then add web and application logs. 2) Use light-weight agents like Winlogbeat to reduce network/CPU impact. 3) Implement a staging SIEM project — collect and store logs for 30 days, tune parsers, then turn on correlation. 4) For a small office using Unifi/pfSense, configure syslog export to your collector and begin with authentication and firewall deny logs. 5) Maintain runbooks and test incident playbooks quarterly. Best practices include enforcing NTP, protecting log integrity (hash and periodic verification), preventing log deletion by limiting admin roles, and documenting retention policies mapping back to the Compliance Framework.
Summary: To meet ECC 2-12-2 you must design a pragmatic SIEM deployment that inventories sources, secures transport and storage, normalizes and correlates events, and embeds alerting and response workflows — starting from a prioritized small-business scope and iterating with tuning and policy-driven retention. Implementing these steps reduces detection time, improves forensics, supports audits, and significantly lowers the risk and impact of security incidents.
