• Skip to primary navigation
  • Skip to main content
site logo
  • About
    • Approach
    • Partnerships
    • Mission
    • Leadership
    • Awards
    • Arraya Cares
  • Solutions
    • Solutions

    • Hybrid Infrastructure
      • Hyperconverged
      • Infrastructure as a Service
      • Servers, Storage, and Virtualization
      • Data Protection
      • Disaster Recovery & Business Continuity
    • Apps & Data
      • AI
      • Automation
      • Customizations
      • Visualizations & Integrations
      • Migrations
    • Network
      • Enterprise Networks
      • Wireless Connectivity
      • Cloud Networking Solutions
      • IoT
    • Cybersecurity
      • Endpoint Security
      • Network Security
      • Cloud Security
      • Application Security
    • Modern Workplace
      • Microsoft Licensing
      • Productivity & Collaboration
      • Modern Endpoint Deployment & Management
      • Microsoft Compliance & Risk
      • Backup
      • Cloud
  • Services
    • Services

    • Managed Services
      • Service Desk
      • Outsourced IT
      • Managed Security
      • Managed NOC
      • Arraya Adaptive Management for Microsoft Technologies
      • ADEPT: Arraya's White Label Program
    • Advisory Services
      • Assessments
      • Strategy
      • vCTO
      • vCISO
      • Enterprise Architecture
    • Staffing
      • Infrastructure Engineering
      • Security & Compliance
      • Application & Software
    • Professional Services
      • Project Management 
      • Systems Integration 
      • Mergers & Acquisitions
      • Knowledge & Skills Transfer 
  • Industries
    • Education
    • Finance
    • Healthcare
    • Legal
    • Manufacturing
    • Software and Services
  • Insights
    • News
    • Blog
    • Events
    • Videos
    • Case studies
  • Careers
  • CSP Login
search icon
Contact Us

Creating Your Own Threat Intelligence

During my time in a previous role, I remember attending a vendor presentation where the salesperson listed all the reasons why I needed to invest in a third party threat intelligence service.  Most of the pitch was aimed at the attack trends happening in my industry and how to stay safe. His presentation got me thinking about what threat intelligence would be most relevant to me. Specifically I thought about which types of users would be targeted, what I was worried about losing, and where I should look for attack indicators. I started examining different event logs within my infrastructure that I knew no one else was analyzing – many of them weren’t even security logs – and I was amazed at the wealth of data out there just waiting to be analyzed.

I believe third party threat intelligence offerings can be an integral part of an enterprise information security program. However, I also think you can leverage existing systems to create your own intelligence. A big piece of your organization’s cyber security story can be uncovered with a minimum amount of log analysis.

Here is a pair of tips on how to do just that.

Start Logging Events That Can Be Analyzed

Turn on logging features where they are available and write code that logs critical events in custom applications. If your servers, network devices, applications and PCs aren’t logging, there’s no way to know what’s happening. I’d recommend forwarding those logs to a centralized security incident and event management system, but even if you don’t have the budget for that, ensure the logs are saved somewhere. The longer you can keep them without impacting system performance, the better. Looking at two hours’ worth of logs doesn’t give you enough events to trend activity over time. Looking at 60 days’ worth of data can provide reliable trending information.

Where possible, it’s also a good idea to fine tune what you’re logging otherwise you’ll be stuck sifting through a host of unnecessary logs. My favorite example of this is an old Windows log clarifying that “A handle to an object was requested.” There were thousands of entries but they were all useless. Newer versions of Windows Server allow you to make your logs granular so you only get what you need. This helps when trying to identify certain types of logged behavior.

Where to Find Threat Intelligence

Personally, the perimeter firewalls and DNS are my favorite place to start. If you do have computers that are talking to the bad guys, this is where you’re going to find it. For example, let’s suppose you are using Office 365 and the majority of outbound requests from your network are to Office 365 IPs. That would make perfect sense and would indicate expected behavior. If the majority of requests are to an IP address in Russia that you can’t identify, you likely have a problem. The firewall is also a good place to watch for denial of service patterns. If you total the allowed and denied requests per minute and baseline it over time, it will provide you with a nice graph of what “normal” looks like. Then you can set up alerts when the amount of requests starts to spike to “abnormal” levels. If requests suddenly triple or quadruple without any business correlation, it could be an indicator of a denial of service attack.

From a user perspective, I like going to three distinct places – antivirus, web filtering, and device blocking. These systems will tell you who’s downloading malicious files, what bad websites users are going to, and if they’re plugging in unauthorized USB drives or smartphones. Logs for failed installs at the PC level will tell you who’s trying to install unauthorized software. The nice part about these logs is they can be traced to a user and you can take action. This level of intelligence can indicate where future problems are likely to come from internally.

It’s also a good idea to review Active Directory group membership on a recurring basis. Think about how often someone gets added to an AD group because they need temporary access to data.  How often is that group purged of temporary users? You can also look at the logs to determine who is adding, changing, and deleting group membership as well as the users themselves. The logs for VPN and multifactor authentication can provide a wealth of information about remote access. It’s important to know who’s working remotely, what time are they working, etc. The intelligence gained here provides insight into who’s likely to be comprised. For example these users may not connect to the home network often enough to receive patches and antivirus definitions.

Event: Your cybersecurity questions answered  

Want additional advice on building and maintaining more effective cyber security initiatives within your organization? Join me on April 13 at Arraya Solutions’ first-ever Security Forum. During this free, half-day event, I’ll present on a variety of topics, including the most dangerous emerging threats and the proper way to build an incident response team and plan. This event will provide today’s IT leaders with some of the knowledge and skills needed to guide their organizations to success in a business world plagued by high-tech threats.

Space is limited so reserve your spot today: arraya.rocks/events.

Feel free to send any questions you’d like to have answered prior to the event to https://www.arrayasolutions.com//contact-us/ or use social media (LinkedIn, Twitter, and Facebook) to leave me a comment on this post.

Arraya Insights
Back to Top
Arraya Solutions logo

We combine technological expertise and personal service to educate and empower our customers to solve their individual IT challenges.

518 Township Line Road
Suite 250, Blue Bell, PA 19422

p: (866) 229-6234     f: (610) 684-8655
e: info@arrayasolutions.com

  • Careers
  • Privacy Policy
  • Contact Us

© 2025 Arraya Solutions. All rights reserved.

Facebook Twitter YouTube LinkedIn
Manage Cookie Consent
We use cookies to enhance your experience. By selecting “Accept,” you agree to our cookie policy.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}