General Requirements

• You have a segmented, secure network
• You have a means to administer it securely from the outside
  • this could be ssh with port forwarding, this could be a VPN
• Your hosts have names, you have DNS.
  • A DC is not required but it might be helpful
  • DHCP is not required
  • seeing localhost, ubuntu, or centos in your logs is not a good move
  • Anything inside the DMZ,LAN or MGMT should be accessed by hostname, not IP address
• You have named users
• shouldn't be seeing champuser, Administrator or root (unless you've elevated)
• You Demonstrations are professional, rehearsed, have sound and captured at 1080p or better
• Your documentation allows someone of your team's expertise level to repeat your steps.

Feed Requirements

For each of the following:

• You are generating local logs
• these logs are sent to your SIEM of choice
• These logs are displayed as information in a dashboard. This include extraction of relevant fields

Auth Logs: You have a log source of Authentication events from your chosen firewall(s) and all of your linux hosts.

HTTP Access Logs: This is something new but is a common log source with a good deal of information on it. SSL is not a requirement for this one, but would be a nice touch.

Firewall Events or Bro Feed. You know how to do this, this is simply reimplementing something you've done as well as making sure you extract and display useful information

1 New Log feed per team member. One of these feeds should be from a Windows System