Coordinate Log Collection from Third-Party Vendors
Draft formal log requests to third-party vendors and managed service providers (MSPs), specify required timeframes and log types, and coordinate secure transfer of evidence.
Actions
- 1
Identify which third-party vendors hold relevant logs: ISP flow data, cloud hosting provider logs, SaaS application audit trails, MSP monitoring data, CDN/WAF provider logs.
- 2
Draft a formal log preservation and production request specifying: timeframe (T-30d to present), log types needed, format requirements (CSV, JSON, syslog), and delivery method (SFTP, encrypted email).
- 3
Include in the request: case reference number, legal basis for the request (contract clause, legal process), contact person, and urgency level.
- 4
Verify received logs: check timeframe coverage, format compatibility with analysis tools, and data completeness.
- 5
Parse and integrate third-party logs into the investigation timeline. Correlate timestamps (accounting for timezone differences).
Queries
Review vendor contracts and SLAs for log retention periods and incident response support obligations.
index=third_party sourcetype=vendor:* earliest=-30d | stats count, min(_time) AS earliest_event, max(_time) AS latest_event by sourcetype, host | sort -count
Notes
Third-party log requests can take days or weeks. Submit requests as early as possible in the investigation.
Some vendors may require a subpoena or court order for certain log types. Coordinate with Legal.