esLOG Services

Definitions

“Cloud Services” mean, collectively, cloud-based service offerings, including all services related to esLOG Services.
“Product Publisher” means the publisher of any third-party software utilized as part of the esLOG Services.
“Alert” is an event or set of events that eSentire will escalate to the Customer.

Service Description

esLOG is a service providing centralized log management with analysis, investigation and alerting based on log data (the “esLOG Services”). esLOG Services leverage a cloud-native SIEM platform from Product Publisher combined with the eSentire Atlas XDR platform to detect, hunt, and investigate IT security threats. esLOG Services collect information from assets in the Client network and cloud resources (the “Client environment”) and monitors and analyzes that data for potential threats, unusual behavior, or other indicators of compromise. Suspicious activity detected is monitored by eSentire’s Security Operations Center (SOC) on a 24x7x365 basis, initiating investigations and Client notification as required. The esLOG Services are fully managed and available on a subscription basis.

Service Features

Log Collection

esLOG Services accept log data from a variety of sources, including syslog, Windows event log (WMI), flat file, and cloud applications and infrastructure. The set of supported log sources is under continuous improvement. Unsupported and/or custom log sources may be nominated for collection; creating support will be evaluated and scheduled on a per-case basis and is included in the esLOG Services.

Logs will be transported from the Client environment to the Product Publisher’s hosted cloud SIEM platform by one of three methods as appropriate:

  • Secure transport direct to SIEM platform via https or secure syslog;
  • Centralized collection in the Client environment using eSentire-provided collector software installed on Client-managed hosts;
  • Agent software installed on each monitored host.

Log Retention

Client data is retained by esLOG Services for 365 days. All collected data is stored in the Product Publisher’s cloud environment; all alerts and metadata are stored in eSentire’s cloud environment and is subject to administrative, physical and technical safeguards. Upon termination of the esLOG Services, all collected data is securely destroyed.

Client-controlled copies of collected log data are available by configuring the esLOG Services to forward a copy of all collected data to an AWS S3 bucket that is provisioned, managed, and controlled by the Client (“Data Forwarding”). This feature cannot be applied retroactively.

Data Access and Reporting

The eSentire Insight portal is the primary Client interface to access the outcomes of MDR services, including esLOG. Insight portal provides an overview of the Client’s security posture and details on escalated alerts, ongoing investigations, service status and other information.

For more detailed interaction with collected log data esLOG Services provide Client with direct access to their esLOG SIEM tenant. This access includes self-service access to:

  • Ad-hoc searches
  • Scheduled searches
  • Real-time and scheduled search alerting (direct to Client)
  • Live dashboards
  • API queries

Large volumes of data are collected for a variety of use cases for esLOG Services. Many use cases require continuous monitoring while others may require less frequent real-time analysis. Logs from development, test, pre-production systems, debug/trace logs, and/or specific data excluded from security scope still require collection to be reviewed in digest and support investigation. esLOG Services will direct up to 40% of this low-touch data to alternate storage tiers within the SIEM platform as appropriate to ensure maximum service effectiveness. This data will remain available to ad-hoc searches and API queries and will be in scope for all investigations and threat hunts. The nomination of low-touch logs will be done in collaboration with the Client based on the specific set of log sources in scope and based on eSentire’s log scoping best practices.

eSentire will support the Client through access to self-directed training, documentation as well as direct support via email and telephone.

Alerting Escalation

Collected log data may be subject to analysis by eSentire correlation rules, a continuously updating set of logic and intelligence for the purpose of creating alerts for SOC review. The set of eSentire rules will include industry best practices, the results of internal research and intelligence, and suggestions made by Clients.

The Client may also create additional alerting from log events for direct notification to Client personnel. The esLOG Services include approximately 24 hours per year of professional services time for the execution of such client-specific tasks. Monitoring of these alerts are the responsibility of the client. eSentire reserves the right to limit custom alerting configuration to security uses cases and the log sources in scope of the esLOG Services.

SOC Alerting and Investigation

Alerts for potential threats are processed, enriched, and delivered to eSentire’s SOC. eSentire uses the data from esLOG Services within the broader MDR Services, including other signals, threat intelligence, and investigations to determine the nature and severity of the threat and will notify the Client according to defined escalation procedures and SLOs. Where other MDR services are in place, the SOC may execute proactive response actions.

esLOG Essentials Service Option

A selected subset of data collected for the esLOG Services may optionally be designated for a storage-only service option. Data nominated for this service option is collected, stored and available for on-demand searching and threat hunting, however, the data is not system analyzed for the purposes of real-time alerting. Data subject to this service option is generally data deemed out of scope for security or MDR services or data or systems collected for compliance purposes only. Determination of eligibility and selection is mutually defined by the Client and eSentire using industry best practices and specific Client needs. Data subscribed to esLOG Essentials is not eligible for Data Forwarding.

Deployment

eSentire will provide and support one cloud-hosted esLOG instance (an “esLOG Instance” or “Tenant”). This is a hosted instance of Product Publisher’s software used for the purposes of providing log collection, storage, querying, data analytics that is a component of the larger esLOG Service.

esLOG Collectors

  • Installing. eSentire will provide installation software, supporting documentation, guides, and support for installation of on-premise log collectors (“esLOG Collector” or “Collector(s)”).
  • Deployment. Collectors will be installed by the Client with eSentire’s direct assistance during the onboarding period. The Client will be responsible for the ongoing management of the Collectors and for ensuring that the Collectors are not prevented from communicating with the applicable esLOG instance.

Log data is explicitly nominated for the esLOG Services by source host or application. Scoping of the service is performed prior to sale to determine the contracted ingest quota, expressed in GB per day. The eSentire professional services in collaboration with the Client will complete an inventory of all in-scope logging and auditing devices, applications and cloud services and assist with configuring data acquisition. Log data to collect will be prioritized by data types providing maximum service effectiveness.

The esLOG Services include approximately 24 hours of onboarding services.

Maintenance and Support

eSentire shall provide support to the Client for both security and system issues related to the esLOG Services.

Responsibilities

Function

Client

eSentire

Threat Detection - content creation, evolution and management (standard library)

I

RA

Threat Detection - deploy content

I

RA

Threat Detection - content tuning

A

R

Threat Detection- custom use cases

RA

R
limited

Threat Detection - submit use cases to TRU

I

RA

Threat Detection - Alert monitoring, analysis

I

RA

Threat Detection - Notification

I

RA

Threat Detection - Resolution

RA

RA

Threat Detection - Threat Intel integration

I

RA

System – SIEM cloud instance setup

I

RA

System - Hosted Collector setup

RA

RA

System - Installed Collector setup

RA

C

System - Usage (data quota) management

RA

C

System - Data ingest tuning

RA

C

System - End user training

RA

Self service

C

System - User account management

A

RA

System - Operations and metrics use cases

RA

-

System - Compliance use cases

RA

-

System - Observability use cases

RA

-

System - ad hoc search, report and dashboards (outside standard library)

RA

R
limited

Health - Cloud instance uptime & patching

I

RA

Health - Hosted Collector uptime & patching

I

RA

Health - Installed Collector uptime

RA

C

Health - Installed Collector patching

RA

C

Health - General troubleshooting

RA

C

Data - Source device logging config

RA

C

Data - Resolving collection issues

RA

C

Data - Monitoring collection

I

RA

Data - Notification of lack of collection

A

R

Data - Source Category definition

RA

C

Data - Verify data correctness (for in scope data)

RA

C

R = Responsible; responsible for action and implementation. Responsibility can be shared.

A = Accountable; ultimately answerable for the activity or decision. This includes "yes" or "no" authority and veto power.

C = Consult; typically the subject matter experts, to be consulted prior to a final decision or action.

I = Inform; needs to be informed after a decision or action is taken.

The Client is responsible for:

  • Working with eSentire staff to enumerate and define in scope log sources and the required service level for each
  • Granting access to required data and systems to configure log collection for esLOG Services including necessary licenses, permissions, consents, and tokens to enable eSentire to access Client’s network, servers, and Cloud Service providers in order to provide esLOG Services
  • Ensuring changes to logging applications or their collection is communicated to eSentire
  • Designating a project coordinator to work directly with and serve as the primary Client contact with eSentire for the term of the esLOG Services
  • Installing of on-premise log collectors to enable log collection for sources within the Client environment
  • Ensuring no firewall rules or other network blocking exists that would prevent the communication from log collectors to the esLOG Server
  • Client’s choice of equipment, systems, software, Cloud Service providers, and online content
  • Providing the necessary resources, information, documentation and access to personnel, equipment and systems, as reasonably required by eSentire, to allow eSentire to perform the esLOG Services.

In the event Client fails to perform its obligations in the time and manner specified or contemplated above, or should any assumption set out herein with respect to the esLOG Services fail to be valid or accurate, then eSentire will not be responsible for any related delay or damages.

Service Level Objectives

The service levels below are only applicable to log data that has been included in the scope of esLOG services.

eSentire will monitor the esLOG service for potential threats and notify accordingly. When potentially malicious activity is identified eSentire will perform an investigation. If available through response-capable services such as esENDPOINT or esNETWORK, eSentire will respond according to the identified threat. Additional confirmation from the Client may be needed depending on the information available to the analyst at the time of the investigation.

Severity/Priority

Description

Notification/Escalation

Low (P4)

Minor activity recorded but not alerted.

None

Accessible on demand through saved searches or Insight Portal

Medium (P3)

Informational alerts – direct to client with no SOC review

Alert (via email) within 20 minutes of events arriving at the log platform

High and Critical Security Alerts

(P2 & P1)

Threats identified from log events

*Log events supporting investigations triggered from esNETWORK and esENDPOINT are tracked to the SLOs of those service lines

Alert (via email) within 40 minutes of the determination of a security event followed by phone call to the Client per defined escalation procedures

Exclusions

The esLOG Services exclude the design, creation, maintenance, and enforcement of a security policy for Client.