Log Integrity Time Sync and Retention

# Log Integrity, Time Sync, and Retention One-sentence definition: Ensure logs are trustworthy, time-aligned, and kept long enough to investigate and prove events. ## Key Facts - Use NTP hierarchy; prevent skew; sign/time-stamp critical logs. - Integrity guards: append-only/WORM, hashing, secure transport (TLS). - Separation of duties: admins cannot alter audit logs. - Retention/rotation size per risk/regulation; hot vs cold storage. - Chain to SIEM with metadata (host, app, tenant) for attribution. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick WORM/time sync to preserve admissibility. **Mnemonic:** “**Right time, right truth**.” ## Mini Scenario Q: Two servers show opposite order of events—cause/fix? A: Clock skew; enforce NTP and re-ingest. ## Revision Checklist - Two integrity controls. - Why NTP matters. - Retention categories. ## Related [[Logging Strategy and SIEM Use Cases]] · [[Use Case and Detection Engineering Lifecycle]] · [[Chain of Custody for Digital Evidence]] · [[Incident Response Lifecycle (NIST-Style)]] · [[Security Operations Center (SOC) Fundamentals]] · [[Domain 7 - Index]]