Playbook: Bladerunner daily Log Source Collection Monitoring Report and Verification Instructions

Report Overview:
This document outlines the process for monitoring the collection status of various log sources. The report is generated daily around 11:50 PM SGT and contains four columns: Serial number, Log source, Collection Status, and Comment. Log sources marked as "Green" with status "OK" indicate successful receipt, while those marked in "RED" with status "No Data Found !" signify missing logs.
image.png
Log sources which can be checked in S3 are :
Log sources which are in INVICTA AWS account 659771031586 with their path to check :
CheckPoint VPN Logs : s3://bladerunner-onprem-application-logs/bladerunner-vpn-logs/$year/$month/$day/
BeyondTrust PAM Logs : s3://bladerunner-onprem-application-logs/bladerunner-pam-logs/$year/$month/$day/
ICBS Application Logs : s3://bladerunner-onprem-sftp-collections/p_mft_sftp/bladerunner-invicta-sftp-icbs/ICBS-CSP-$year$month$day.tar.gz.pgp
SCU Application Logs : s3://bladerunner-onprem-sftp-collections/p_mft_sftp/bladerunner-invicta-sftp-ist/SCU_TXNSHCLOG_$year$month_ist_crs$yesterday_crs.TSV.GPG
Cadencie Application Logs : s3://bladerunner-onprem-sftp-collections/p_mft_sftp/bladerunner-invicta-sftp-cadencie/application-data/$year/$month/$day/
IST Node1 Application Logs : s3://bladerunner-onprem-sftp-collections/p_mft_sftp/bladerunner-invicta-sftp-ist-switch/node1/$year/$month/$day
IST Node2 Application Logs : s3://bladerunner-onprem-sftp-collections/p_mft_sftp/bladerunner-invicta-sftp-ist-switch/node2/$year/$month/$day
BDO-BOB Application Logs : s3://bladerunner-onprem-application-logs/BDO-BOB/$year/$month/$day
BDO-POB Application Logs : s3://bladerunner-onprem-application-logs/BDO-POB/$year/$month/$day/
CRS Application Logs : s3://bladerunner-onprem-application-logs/CRS/PROD/$year/$month/$day/
ONB-POB Application Logs : s3://bladerunner-onprem-application-logs/ONB-POB/$year/$month/$day/
Crowdstrike FDR Telemetry - ON-Prem : s3://bladerunner-device-fdr/logs/$year/$month/$day/
Crowdstrike FDR Telemetry - Cloud : s3://bladerunner-device-fdr/cloud-instances-telemetry/$year/$month/$day/
Akamai Web Application Logs : s3://bladerunner-application-akamai/raw-logs/$year/$month/$day/
Azure Cloud Logs : s3://bladerunner-network-azure/$year/$month/$day/
Office365 ( M365 ) Cloud Logs : s3://bladerunner-app-office365/$year/$month/$day/
Apigee Edge Application Logs : s3://bladerunner-application-data/apigee-edge/prod/$year/$month/$day/
AWS Cloud Logs : s3://bladerunner-network-aws/bladerunner-network-aws/$year/$month/$day/
Log sources which are in Dama AWS account 224659033380 with their path to check :
NDB Application Logs : s3://sftp-storage-hm/bladerunner-pay-app/extracted/$year/$month/$day/

Log sources which needs to be checked in elastic are :
Log sources which are in with their index to check :
Active Directory Windows Logs : bladerunner-windows*
CIAM Application Logs : bladerunner-database*
T4S Instance application logs : bladerunner-database*
Log sources which are in
Wazuh EDR agents

Log Source Collection Verification Instructions:

For log sources in AWS S3 buckets:
Step 1: Access S3 Bucket
Log in to AWS Console: Access the AWS Management Console using your credentials.
Navigate to S3: Go to the S3 service dashboard.
Select the Bucket: Choose the specific bucket where the logs are anticipated to be stored.
Step 2: Verify Log Source Collection
Check Bucket Contents:
Go to the path directory and check for log files for that specific day
$year - replace with year for which we are checking the logs
$month - Replace with the month value for which we are checking the logs
$day - replace with day for which we are checking the logs

For log sources in Elasticsearch:
Step 1: Login to Kibana
Access the Kibana interface.
Step 2: Select the Index
Choose the index corresponding to the log source and inspect data from the past few hours.


Notification Procedure:
In case logs are not found for any of the listed sources, notify Alex from Bladerunner & Etienne, David, Kristan & Akhtar from HM for further investigation.


This document provides a comprehensive guide for verifying log source collection in both AWS S3 buckets and Elasticsearch. If you require further assistance or encounter any issues, please reach out for support.


Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.