# Logging Strategy and SIEM Use Cases One-sentence definition: Plan collection, normalization, correlation, and alerting so logs create actionable detections. ## Key Facts - Prioritize identity, endpoint, network, cloud control-plane, and critical app logs. - Normalize time (NTP) and fields; common schemas enable cross-correlation. - Build use cases from risks/ATT&CK; enrich with asset/identity context. - Tune noise; suppress benign patterns; document rule rationale. - Retention aligns with legal/regulatory and IR needs. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose risk-driven use cases over ingest-everything. **Mnemonic:** “**Log less, learn more**.” ## Mini Scenario Q: Many failed alerts on benign admin tool—fix? A: Add allowlist/context, adjust thresholds, document exception. ## Revision Checklist - Five priority sources. - Enrichment examples. - Retention principle. ## Related [[Log Integrity Time Sync and Retention]] · [[Use Case and Detection Engineering Lifecycle]] · [[Security Operations Center (SOC) Fundamentals]] · [[Operational Metrics and KPIs (MTTD MTTR Coverage)]] · [[Playbooks and SOAR Automation]] · [[Domain 7 - Index]]