2/22/2021 CCSP 2019: Data Retention & Events Transcript

CCSP 2019: Data Retention & Events

Discover how to meet regulatory compliance needs by planning and implementing data retention, deletion, and archiving policies. Explore how data
events can be analyzed and used for troubleshooting problems. This course can be used in preparation for the (ISC)2 Certified Cloud Security
Professional (CCSP) exam. The key concepts in this course include: how to configure Azure cloud storage data retention policies; how to enable
Azure storage account soft deletion; how to configure Azure storage account blob archiving; and how to configure an Azure immutable blob storage
access policy. You will also learn about the standards and best practices when using eDiscovery and its purpose to find information that is stored in a
digital manner for use with legal proceedings; how to filter Azure resource management activity events; and how to create Azure log queries. Finally,
learn how to use the various capabilities of security information and event management (SIEM) such as data aggregation, correlation, alerting,
compliance, retention, and forensic analysis.

Objectives
discover the key concepts covered in this course configure Microsoft Azure cloud storage data retention policies enable Microsoft Azure storage
account soft deletion configure Azure storage account blob archiving configure a Microsoft Azure immutable blob storage access policy describe
eDiscovery in the cloud filter Microsoft Azure resource management activity events create Microsoft Azure log queries list the various capabilities of
SIEM such as data aggregation, correlation, alerting, compliance, retention, and forensic analysis summarize the key concepts covered in this course

Table of Contents
1. Course Overview
2. Data Retention Policies
3. Data Deletion
4. Data Archiving
5. Legal Hold
6. eDiscovery
7. Event Sources and Attributes
8. Data Events
9. SIEM
10. Course Summary

Course Overview
[Video description begins] Topic title: Course Overview [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 1/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

Hi, I'm Dan Lachance. I've worked in various IT roles since the early 1990s, including as a technical trainer, as a programmer, a consultant, as well as
an IT tech author and editor.

[Video description begins] Your host for this session is Dan Lachance. He is an IT Trainer/ Consultant. [Video description ends]

I've held and still hold IT certifications related to Linux, Novell, Lotus, Comp TIA, and Microsoft. Some of my specialties over the years have
included networking, IT security, cloud solutions, Linux management, and configuration and troubleshooting across a wide array of Microsoft
products.

CCSP, or Certified Cloud Security Professional, proves to the world that you have the cloud security skills necessary to use the best practices and
guidelines set out by ISC squared to properly design, manage, and secure applications, infrastructure, and data in the Cloud. In this course,

I'll explore how to meet regulatory compliance needs by planning and implementing data retention, deletion, and archiving policies. I'll also cover
data events, which can be analyzed and used for troubleshooting problems. I'll start by examining data retention policy principles and how to develop
appropriate practices, defining and managing data deletion procedures and methodologies, and outlining principles that serve to define and manage
data archiving procedures.

I'll also talk about the need for legal holds. Then I'll discuss event sources and how to interpret event attributes. Next, I'll talk about how to gather,
analyze, store, and archive events and log data. Finally, I'll explore the various capabilities of SIAM, such as correlation, alerting and compliance.

Data Retention Policies

[Video description begins] Topic title: Data Retention Policies. Your host for this session is Dan Lachance. [Video description ends]

Data retention policies are used to determine how long data in many various forms will be kept before it's discarded. And that also includes how long
data backups get kept.

[Video description begins] The screen displays the Home page in the Microsoft Azure portal. [Video description ends]

Here in the Microsoft Azure portal, I'm going to start by going to the All resources view.

[Video description begins] A blade titled "All resources" displays in the center pane. It contains a table displaying a list of resource groups. Currently,
all the resource groups are listed in the table as the filter field Type is set to "all". [Video description ends]

And I'm going to filter the list of cloud resources shown here by clicking Type at the top.

[Video description begins] A drop-down list displays. It lists check box options such as Select all, App Configuration, App Service, and App Service
Plan. Currently, all the options are selected. [Video description ends]

I'm going to uncheck Select all. And I'm going to scroll down in the alphabetical list because I'm looking for what's called a Recovery Services vault.
Of which there is only one deployed, we can see in the parentheses here. So I'm going to turn on the check mark to filter to show that and click
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 2/14
2/22/2021 CCSP 2019: Data Retention & Events Transcript

outside the list. And here's a recovery vault that was already created.

[Video description begins] The table now displays a resource titled "VaultEast". [Video description ends]

Now you configure backup policies within a Microsoft Azure Recovery Services vault. I'm going to click on the vault to open it up.

[Video description begins] A blade titled "VaultEast" displays in the working pane. [Video description ends]

And then I'm going to scroll down in the Properties until under the Manage section I see Backup policies. I'm going to click there.

[Video description begins] The center pane displays a table listing two backup policies. Above is an input box containing the prompt "Filter name"
and a drop-down field to select policy. [Video description ends]

Now there are a couple of policies already in place here, but we can add another one by clicking the Add button up at the top.

[Video description begins] An Add blade displays, containing the following options underneath a heading "POLICY TYPE": Azure Virtual Machine,
SQL Server in Azure VM, and Azure File Share. [Video description ends]

The first thing we have to do is determine to what our backup policy should apply. Does it apply to Azure virtual machines? If I click on that, then we
can specify details including a name for the policy.

[Video description begins] A blade titled "Create policy" displays. It contains configuration options such as Policy name, Backup Schedule, Instant
Restore, and Retention range. Fields labeled Frequency, Time, and Timezone display in the Backup schedule section. [Video description ends]

So I'm going to call this VMPolicy1. And I can determine the backup schedule for virtual machines. Whether it be Daily or Weekly, and the Time and
the Timezone. And of course, I can specify the data retention range for the backup down below.

[Video description begins] The Retention range section contains many check box options, including "Retention of daily backup point" and "Retention
of weekly backup point." Below the first check box option are two fields, "At" and "For." Below the second option are three fields, "On," "At," and
"For." [Video description ends]

So for example, here it's set for 180 days for a daily backup point. Weekly backup points can also be retained for a different period of time. And the
same thing holds true for monthly, and finally all the way down to yearly. I'll just go ahead and create that one and we'll use that one after in a
moment.

[Video description begins] He clicks a Create button present at the bottom of the pane. [Video description ends]

But before we do that, we can also add backup policies for SQL servers that might be running within Microsoft Azure virtual machines.

[Video description begins] He clicks "SQL Server in Azure VM" in the Add blade. The center pane displays a blade titled "Backup policy." It contains
the following configuration options: Policy name, Full Backup, Differential Backup, Log Backup, and SQL Backup Compression Backup. [Video
description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 3/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

And here we would specify the backup, such as a daily backup, that's a Full backup, how often we want that to happen. How often we want
Differential backups. And that type of thing. We can also go to Azure File Share, which is essentially like a shared folder in the cloud with files in it,
that you can map a drive letter to, for example from a Windows station. And we can determine how long that data will be retained for when it comes
to backups.

[Video description begins] He selects "Azure File Share" in the Add blade. The center pane displays a field labeled "Policy name," and a Backup
schedule section containing drop-down fields and a Retain for field. He highlights the value 30 displaying in the Retain for field. [Video description
ends]

So let's just go to the Virtual machines view for a moment here over on the left, and we'll use our backup policy.

[Video description begins] The center pane displays a table listing many Virtual machines. [Video description ends]

So I'm going to click to open up an existing virtual machine. And in the Properties navigation bar for that virtual machine, I'm going to go down under
Operations, where I'll click on Backup. And what I do within here is select the appropriate configured policy.

[Video description begins] The center pane displays the backup information. Two fields labeled "Recovery Services vault" and "Choose backup
policy" display on the page along with other information. [Video description ends]

So I can see my vault here, VaultEast. And from the policy drop-down list, I can select VMPolicy1. And after that, I would simply click Enable
Backup to put that in place.

Data Deletion
[Video description begins] Topic title: Data Deletion. Your host for this session is Dan Lachance. [Video description ends]

Most cloud providers will provide options when it comes to cloud storage for soft deletion. The soft deletion is an option that needs to meet business
requirements, in other words, the ability to recover deleted files that are stored in the cloud that were inadvertently deleted. But on the opposite side of
the coin, we might have regulations or laws that stipulate, after we delete data, it needs to be completely removed and inaccessible.

In which case, we would not want to enable options such as soft delete. Here in Microsoft Azure, we're going to enable soft delete within a storage
account. So here in the portal, I'm going to start on the left by clicking Storage accounts.

[Video description begins] The center pane displays a table of Storage accounts. [Video description ends]

Now, when my list of storage accounts appears, I'm going to choose one where I want to enable soft deletion. So I'm going to click to open up a
storage account to open up its properties navigation bar.

[Video description begins] He selects a storage account named "storacct64845" from the table. [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 4/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

And I'm going to scroll down under Blob service. Blob stands for binary large object, essentially storing files in the cloud. If I actually click on Blobs,
then on the right I can actually create containers. So for example, I'll click Container, which is like a folder on a hard drive to organize files.

[Video description begins] The center pane displays two fields, "Name" and "Public access level." [Video description ends]

Maybe I'll call it projects, I'll leave it Private (no anonymous access).

[Video description begins] He clicks on the "OK" button at the bottom of the pane. [Video description ends]

And when I open up that blob container, I can then upload content into it, upload files.

[Video description begins] He selects "projects" from the list of containers. [Video description ends]

So that being said, I'm going to close out of that and let's go back to the Blob service area in the properties of our storage account. Where you'll see
that there's an option called Soft delete.

[Video description begins] A blade titled "storacct64845- Soft delete" displays in the center pane. It contains a toggle button labeled "Soft delete."
[Video description ends]

So I'm going to go into Soft delete, it's disabled by default. I'm going to go ahead and click Enabled. Here we get to specify, for retention the number
of days. So after content is deleted, so files, from this storage account, how long should they be available for? The default is seven days, which I'm
going to leave enabled. I'm going to go ahead and click Save.

So this would apply, then, when binary large objects, or blob files, are deleted from the storage account, as well as overwritten. Now, the way that they
are undeleted is by programmers making calls to the undeletion of blobs API, the application programming interface.

Data Archiving
[Video description begins] Topic title: Data Archiving. Your host for this session is Dan Lachance. [Video description ends]

Data archiving in the cloud can be applied in many different ways. For example, you might enable archiving of email messages within a cloud email
account. In this case, we're going to enable archiving at the storage account level in the Microsoft Azure cloud.

[Video description begins] The screen displays a view of the Storage accounts in the Microsoft Azure portal. The center pane displays a table of
storage accounts. [Video description ends]

So here in the Microsoft Azure portal, I've already navigated to the Storage accounts view. So I'm going to scroll down so I can select the storage
account where I want to enable archiving. So I'm going to click to open it up.

[Video description begins] He selects a storage account labeled "storacct64845" from the table. [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 5/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

Now, the first thing to bear in mind is that we can enable archiving on a per individual file basis. Or we can configure a policy setting that will
automatically enable it after a certain amount of time.

[Video description begins] A blade titled "storacct64845" displays in the center pane. [Video description ends]

So as an example, here within the storage account, I'm going to scroll down to Blobs. Now, blobs are binary large objects, they are files. I've already
created a blob container, or folder, called projects. And if I open that up, you'll see that I've got a couple of sample project files listed within this blob
container.

[Video description begins] The center pane displays a table listing sample files. [Video description ends]

Now, each of these can have a different storage tier configured. For example, for the first simple file here, Project_A.txt, if I were to click on the
Context menu over on the far right, one of the options I would get is to change the tier. And when I choose Change tier, I can then select whether I
want this to be

[Video description begins] A pane titled "Change tier" displays. It contains a drop-down field labeled "Access tier." [Video description ends]

treated as hot storage, so on the fastest storage for frequent access. Or cool storage for less frequent access at a reduced cost, or archive storage. Now,
when I do this for archiving it says it's going to make your blob inaccessible, at least the data is. The metadata about that blob will be accessible. But
the actual data is offline until you bring it back, for example, to a cool or hot access tier, which can take time for that to occur.

That process is referred to as rehydration. So I'm going to go ahead and save the change to the tier for that first file, Project_A.txt. Now, of course, if
you want this to be automated, you can make that happen as well. So let's click the X over here in the upper right to get out of the container. So we're
back in our storage account properties list. What I want to do over here under Blob service is select Lifecycle Management.

[Video description begins] The blade changes to "stroracct64845- Lifecycle Management." The center pane has a table which is currently blank.
[Video description ends]

Lifecycle Management can automate the archiving of data given criteria. So I'm going to click Add rule over on the right to set that up.

[Video description begins] A blade labeled "Add a rule" displays in the center pane. It contains the following tabs: "Action set", "Filter set", and
"Review+ add". Currently, "Action set" is selected. A list of configurations displays, including a field titled "Rule name," and various other check
boxes along with fields underneath a heading "Blobs." Three buttons labeled "Review+add", "Previous", and "Next: Filter set>" display at the
bottom of the pane. [Video description ends]

So the rule name here is going to be AutoArchive. And I'm interested here in blob archiving. So I'm going to choose the Move blob to archive storage
option, the check mark. And I'm going to specify the days after the last modification. So let's say 90 days after anything has been modified, I want it
to be archived automatically. So that part's been done. I'm going to click the Next button here to go to Filter set.

Now, with the Filter set, I can specify a subset of blobs that I want to apply this archiving option to. I want the entire storage account affected by it. So
I'm just going to go ahead and click the Next button for Review and add. It's going to check for validation of my selections, looks good. So let's
actually add this archiving policy by clicking Add. And we can now see that we've got our AutoArchive policy enabled for this cloud storage account.
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 6/14
2/22/2021 CCSP 2019: Data Retention & Events Transcript

Legal Hold
[Video description begins] Topic title: Legal Hold. Your host for this session is Dan Lachance. [Video description ends]

Placing a legal hold on Cloud-stored data can be important when evidence needs to be maintained in its current state.

[Video description begins] A storage account labeled "storacct64845" displays in the Microsoft Azure portal. [Video description ends]

To get started with here in Microsoft Azure, I've already opened up the properties of a storage account. So I'm going to go ahead and scroll down in
the properties of that account and choose Blobs where I've already got a container or a folder where I've uploaded some sample files. It's called
Projects, so I'll click to open that up.

[Video description begins] A blade labeled "project" displays in the center pane. [Video description ends]

And on the right we'll see a couple of sample project files that have been uploaded. Now, let's say, for example, I want to classify or add labeling to
my Project_B.txt file here. It's important that we add metadata or tagging information to items, because often Cloud-based policies will need to match
those metadata items to determine whether a legal hold should be placed on them or not. So for Project_B here, I'm going to click on the context menu
on the far right, and I'm going to choose Blob properties.

[Video description begins] The context menu displays options such as View/edit blob, Download, Blob properties, and Generate SAS. [Video
description ends]

Now, when the properties of that blob file, what I'm going to do is scroll all the way down to the bottom where I can metadata. And I'm going to add a
tag. It's going to be called Project. And let's say we put a value in here of ABC. And they'll click Save up at the top to save that metadata to that item.
So now that we've got that flagged that way, we're going to go and create an access policy related to legal holds.

Now realistically, you would use this at the command line level or the programmatic API level, meaning you would set those items in that way instead
of going to each individual item as I've done. So we're going to go ahead and click Access Policy over here on the left. Now the access policy we're
looking at here is for our Projects folder. We could also set it at the entire storage account level.

[Video description begins] The center pane displays two sections, "Stored access policies" and "Immutable blob storage." [Video description ends]

We're interested here in Immutable blob storage. Immutable here means that we don't want the data to be modified in any way. If it's going to be
preserved as evidence, then we need to make sure it's not going to be changed from its current state. So down below I'm going to click Add Policy to
do that.

[Video description begins] Two fields display underneath the heading "Immutable blob storage," "Policy type" and "TAG". At the bottom of the pane
display two buttons, OK and Cancel. [Video description ends]

And here we see that it tells us each legal hold policy needs to be associated with one or more tags. So the tag here is going to be Project. So any
blobs associated, or tagged rather, with the project metadata will be associated with this. Now, notice at the top we've got a Policy type, whether it's

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 7/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

Time-based Retention or Legal hold.

In this case, it's going to be Legal Hold, so I'm going to go ahead and click OK. And we can now see that we've got Legal Hold enabled for the
contents of items in the Projects folder in the Cloud that use the project tag.

eDiscovery
[Video description begins] Topic title: eDiscovery. Your host for this session is Dan Lachance. [Video description ends]

eDiscovery stands for electronic discovery. The overarching purpose of eDiscovery is to find information that's stored in a digital manner somewhere,
such as in the cloud, for use with legal proceedings. Now, we have some standards and best practices related to how eDiscovery is conducted
available through the ISO/IEC publication 27050.

We also have the same types of things, best practices and guidelines, through the Cloud Security Alliance, or CSA. The Cloud Security Alliance is a
non-profit organization whose goal is really to provide security best practices when using cloud computing.

[Video description begins] Screen title: Digital Data and eDiscovery [Video description ends]

When you're talking about eDiscovery, the first consideration is where that data is located. Such as in the cloud or on-premises or replicated in
multiple locations in the cloud. And then how you're going to gain access to that data. So having the appropriate permissions to be able to go in and
take a look at what's there.

And that might only be required from a read only perspective, depending on the nature of your eDiscovery requirements. The other thing to consider
is the vast amounts of data that you might need to sift through to find what you need. So the key here, of course, is using searching mechanisms to
search through vast data sets to determine if there's any relevant information for your eDiscovery.

Metadata plays a big part of this, metadata is a additional information that gets added to things like files, or folders, or database records. So whether
it's added manually or in an automated fashion. So metadata would include things like date/time stamps, that would be done in an automated fashion
and tied to things like transactions, when something was updated, read, written to in some way.

Or even, in some cases, when things are deleted, we need to track exactly when that happened, of course. Now, it's important to make sure that we
trust the source of the metadata. In other words, do we have accurate and trustworthy date/time stamps? The other type of metadata would be
classification labels that are set by an organization. Maybe to flag certain types of documents as being related to financial sensitivity.

We might even have GPS coordinates as a type of metadata that is used as part of eDiscovery. We might want to look at the device type, what type of
device was used to partake in a certain type of transaction online? The username that was signed in to a particular device can be a very relevant piece
of metadata, as well as the network transmission path.

Where does it appear that the transmission stemmed from? Even in this day and age of proxy anonymizers, eDiscovery and network transmission
paths can still be very important to determine an origin for a type of communication over the Internet or into or out of the cloud.

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 8/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

Event Sources and Attributes

[Video description begins] Topic title: Event Sources and Attributes. Your host for this session is Dan Lachance. [Video description ends]

There are times when you may want to examine the activity related to a cloud-based resource, such as a virtual machine. You may want to take a look
at events and attributes of those events that are related to some aspect of working with a virtual machine. Which is what we're going to do here. So
here in the Microsoft Azure portal, I've already gone to the Virtual Machines view over here on the left. So I'm going to click on one of my existing
virtual machines to open up its properties.

[Video description begins] He clicks a virtual machine named winsrv2016-1. The navigation pane of this page contains options such as "Overview"
and "Activity log." [Video description ends]

Now, in the properties section, I'm going to click Activity log. The Activity log is a log of activity related to the cloud resource itself. So it's not
logged information about what was happening within the virtual-machine operating system or any applications that might be running within there as
well.

[Video description begins] The center pane displays a blank table with columns such as OPERATION NAME, STATUS, TIME, and SUBSCRIPTION.
Above the table, current filter settings display, along with an Add Filter button and a Search field. Some of the filters are "Management Group" which
is set to "None," and "Timespan" which is set to "Last 6 hours." At the top of the pane, options such as Edit columns, Refresh, Download as CSV, and
Logs display. [Video description ends]

So for the activity log over on the right, the timespan defaults to the last six hours. So I'm going to click rate on that, and I'm going to choose Last
month, and then I'll click Apply.

[Video description begins] The other Timespan radio options include Last 1 hour, Last 24 hours, and Last week. [Video description ends]

However, I can further filter the type of activity log entries I'm looking for.

[Video description begins] The table gets populated with activity logs from last month. [Video description ends]

So I'm going to click on the Add Filter button to do that, and from the drop-down list, I'll choose Event category.

[Video description begins] Below the filters, two drop-down fields appear for setting Resource type and filter value. [Video description ends]

[Video description begins] The other options in the Resource type drop-down list are "Operation" and "Event initiated by." [Video description ends]

And from the list of categories, I get to select what it is I'm interested in when it comes to filtering by.

[Video description begins] He clicks the second drop-down field and categories such as "Administrative," "Security," and "Alert" display. [Video
description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 9/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

So maybe here I'm interested in taking a look at administrative tasks related to this virtual machine. So I'm going to choose Administrative and we'll
just wait for the filter to be applied. So now I can see, for example, the operation such as deallocating of the virtual machine, which means stopping it,
and then starting of the virtual machine.

So we can see the events listed here and all of the attributes are available such as when it happened, so we have the timestamp. We can see the
subscription it's tied to here in the Cloud, and who the event was initiated by. The other thing that's great about this, is once you found what you need,
you can also download it as a CSV file. That you could then Import into another program like Microsoft Excel for instance where you could further
manipulate the data.

Data Events
[Video description begins] Topic title: Data Events. Your host for this session is Dan Lachance. [Video description ends]

Sometimes you'll want to run queries against logged activity that relates to cloud resource usage. And instead of going to each individual cloud
resource, you can go to a central analytic workspace to do the same thing. So for instance, if I'm interested in taking a look at any security events
related to a Linux virtual machine in the cloud, I could go to an individual virtual machine to do that.

But if I've got dozens of them it might make more sense, to do it in a more centralized manner. And so here in the Microsoft Azure portal, I'm going
to start by going to the All resources view and I'm going to filter the list of the resources by the word log.

[Video description begins] In the All resources page, a table of resources displays with columns such as NAME, TYPE, RESOURCE GROUP, and
LOCATION. Above, the current filter settings display, along with an input box containing the prompt "Filter by name," and an Add filter button. At
the top of the page are options such as Add, Edit columns, and Export to CSV. [Video description ends]

I'm looking for log analytic type of workspaces here in Microsoft Azure, so I'm going to choose the second one of the list here.

[Video description begins] Filtered results display in the table. The TYPE column contains "Log Analytics workspace," "Solution," or "Storage
account." [Video description ends]

Now a log analytic workspace, as the name implies, is a workspace where you analyze logs. So I'm going to go ahead and click on that workspace to
open it up. The first thing we should do is take a look at where the data is coming from.

[Video description begins] He scrolls down the navigation pane of the new page that displays. It contains a menu group called "Workspace Data
Sources" which contains options such as Virtual machines and Storage accounts logs. [Video description ends]

So if I scroll that down I look at the Workspace Data Sources, I can click on virtual machines.

[Video description begins] A table of virtual machines display in the center pane, containing columns such as NAME, LOG ANALYTICS
CONNECTION, and SUBSCRIPTION. Above are the current filter settings and an input box containing the prompt "Filter by name." At the top of the
pane display two buttons, "Refresh" and "Help." [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 10/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

Here I can see the virtual machines, with their names, and the fact that they are associated with this workspace, their logged information, where others
might be listed here and show as Not connected. And others might even be connected to to other log analytic workspaces.

[Video description begins] The LOG ANALYTICS CONNECTION column contains "This workspace," "Other workspace," or "Not Connected."
[Video description ends]

We can also gather log information from Azure Storage accounts, activity logs, and so on.

[Video description begins] As he clicks the Storage accounts logs option in the navigation pane, a blank table displays in the center pane. Its columns
are titled NAME, DATA TYPE, SOURCE, and LOG ANALYTICS CONNECTION. [Video description ends]

So what I'm going to do is scroll back up and click on Logs. That's going to open up a log query editor over on the right hand side of the screen. Now,
we can explore this by taking a look at some of the categories of information that is logged.

[Video description begins] The left-hand side of the center pane contains two tabs, "Schema," which is selected, and "Filter." The Schema tab contain
many expandable categories such as "Functions" and "Security" under the heading "Active." The right-hand side of the pane has two horizontal
sections, a query editor above and a section titled "Get started with sample queries" below. A Run button and a Time range filter display in the query
editor, along with a Save button. [Video description ends]

For example, if I expand security, I can see a number of tables, each of these is actually a table. So for example, this is a SecurityAlert table. And if I
expand that, I can even see all of the columns or the fields within that table and their data type. So the small, italicized t is for text. We've got numeric,
date and time values.

[Video description begins] Numeric is denoted by a hash symbol and date and time by a clock. [Video description ends]

Now if I were to double-click on a table name, it puts it into the query editor over on the right.

[Video description begins] He double-clicks "SecurityAlert" and it appears in the query editor. [Video description ends]

And right away, I could click Run. Notice that the time range though is only the last 24 hours, but I could click run, and if there are any query results,
I will see them. In this case, it says there are no results found. Now, I could type in a vertical bar or a pipe symbol and hit a Space and then run more
operations against the contents of, in this case, the SecurityAlert table.

[Video description begins] As he enters a pipe symbol and space, a list of input variables display, such as "where" and "count." [Video description
ends]

So I could count the number of entries. I could use a where operator. I could order by a certain way. I could limit the number of items and so on. So
we can scroll down and even select specific items within a table. These are columns like DisplayName.

[Video description begins] As he selects "DisplayName" from the left, it gets added after the pipe symbol in the query editor. [Video description ends]

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 11/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

So I can specify columns such as that. Now you can also, once you get used to it, start writing your own queries. So for instance, once I get familiar
with table names and the fields and the values that might be stored in them, I could do something like this.

[Video description begins] He enters the following code in the query editor: LinuxAuditLog | where Computer == "ubuntu-srv1". [Video description
ends]

So here I'm referring to a table called LinuxAuditLog. And I want to show items in that log table where the Computer equals, notice the operators and
double equal sign,. And in this case the name of a particular virtual machine ubuntu-srv1. Now, the time range here is only the last 24 hours.

So I could click on that time range and choose other items including Custom, where I have the option of specifying, scroll over to the right, we'll do
that again. I can specify when we want it to start.

[Video description begins] As he clicks "Custom" from the Time range options, a calendar opens with the current date highlighted. Hours, minutes,
and seconds display at the bottom of the calendar. [Video description ends]

So I want to go let's say from a few months back to the current date, and then I would click the Apply button down at the bottom. So we've now got a
custom time range that our query will be run against.

[Video description begins] The Time range filter is set to "Custom." [Video description ends]

And of course, I can run it again. If there are no results found, it means there is no data related to what you are asking for. It doesn't mean there's was
an error in any way. So in this way, we can start to query data events related to cloud resources from a centralized location.

SIEM
[Video description begins] Topic title: SIEM . Your host for this session is Dan Lachance. [Video description ends]

Properly managing an IT environment, whether it's on-premises or on the cloud as related to security, means knowing when security incidents occur.
And that's where security information and event management, otherwise called SIEM, comes in. SIEM is all about real-time security alerts. Time is of
the essence, in other words. It can support security events that stem from a multitude of different sources.

And it also provides services for event analysis and correlation. So that we might have a current event that maybe is tied to a past event that's
different, perhaps a security compromise that lead to a current incident that relates to a data breach. SIEM can pull data from a number of different
sources. One of which would be web applications, where we can track access to a web application changes to the code using a web application, that
type of thing.

Network infrastructure equipment like routers, switches, wireless access points, hardware security modules or HSMs to store cryptographic keys,
VPN appliances, the list goes on and on. Another SIEM data source can be events that occur related to databases, shared folders in the file system,
and even authentication servers, such as knowing when we have multiple failed authentication attempts for the same account within a short period of
time. So with SIEM, we have centralized logging and alerting.

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 12/14

2/22/2021 CCSP 2019: Data Retention & Events Transcript

So in our diagram, imagine you that we've got web application servers in a DMZ, a demilitarized zone. So these are the front end web servers. Now,
what would then happen is we would have configured alerts on our centralized logging and monitoring host, that would be a SIEM server. Now that
host would reside on a private network. And we would have log information forwarded to a centralized logging host, which could at the same time be
the SIEM host. It doesn't have to be, but it can be.

Now when we configure alerts, this is going to be specific to what we deem as being suspicious or problematic in our specific computing
environment. And so we want to make sure that we take the time to configure alert thresholds properly to reduce the amount of false positives. Where
a false positive falsely claims that there's some kind of security incident when in fact there is not.

Now, the other thing we need to make sure we have is a backup of all of this logged and auditing information that is even the configuration of alerts.
Now ideally, for the actual logged information, that should be encrypted for safekeeping ideally on a protected network.

[Video description begins] A workflow displays containing three nodes, Web application servers, Centralized logging/monitoring host, and Encrypted
backup. Unidiectional arrows point from the first node to the next. Below the three nodes, the following text displays respectively: "DMZ," "Private
network," and "Protected network." A call-out containing the text "Configured alerts" originates from the second node. [Video description ends]

When you configure a SIEM solution, the thing to bear in mind is that you're going to have to tweak it for your specific environment. We've
mentioned that what is suspicious in one network might not be suspicious on another network. It might be considered normal. So we have to define
what normal is in our computer environment, so we can easily identify what's abnormal in the context of a security incident.

So reducing false positives, having a baseline of what's normal is important. And then of course always remaining compliant with specific laws and
regulations, such as maybe ensuring that we have encryption of a certain strength applied to data at rest. The alert thresholds we configure can be
changed over time as we evolve with the threat landscape that also evolves.

So for example, we might start off saying if we have six incorrect login attempts that's suspicious, but then we might realize over time that, well, users
in our environment normally do not forget their passwords. And so we might reduce that configuration to setting an alert notification after 3 incorrect
login attempts for the same account within a short period of time.

Course Summary
[Video description begins] Topic title: Course Summary [Video description ends]

So in this course, we've examined how planning and implementing data retention, deletion, and archiving policies can help meet regulatory
compliance needs. And it also allows us to use data events for analyzing and troubleshooting problems. We did this by exploring data retention policy
principles and how to develop appropriate practices.

We also took a look at how to define and manage both data deletion and data archiving procedures and methodologies as well as the need for using
legal holds. We also talked about event sources and attributes, how to gather, analyze, store, and archive events and log data.

And, finally, we explored the various capabilities of SIEM. In our next course, we'll move on to explore issues related to the security of physical and
virtual supporting components of the cloud infrastructure.
file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 13/14
2/22/2021 CCSP 2019: Data Retention & Events Transcript

file:///C:/Disk D/CISM_CISSP_CIS_CCSP/CCSP/5. Data Retention & Events Transcript.html 14/14