SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Signals

•SIEM data source inventory does not list the affected application or host group
•Search queries for source IP or hostname return zero indexed events in the SIEM
•The SIEM onboarding backlog includes the affected source but ingestion was never completed

Pivot Actions

1.Identify where the raw logs reside (local disk, syslog collector, cloud storage) and collect them directly
2.Stand up a temporary log forwarding pipeline (rsyslog, Winlogbeat, Filebeat) to begin capturing current activity
3.Cross-reference available SIEM sources (firewall, DNS, AD) to infer activity on the unmonitored system
4.Use EDR process/network telemetry as a compensating source if agents are present

Alternate Evidence Sources

•Raw log files on local disk or a syslog relay/collector not connected to the SIEM
•EDR telemetry acting as a proxy for endpoint events
•Cloud provider native audit dashboards (AWS CloudTrail Console, Azure Activity Log, GCP Logging)

Related Procedures

Log Preservation and Snapshot

preserve

EDR Telemetry Collection

collect

Bound the Investigation Timeframe

triage