1. Log Lines Category
    1. Control Plane
      1. Cloud Infrastructure
        1. Network Logs
      2. Service - Control Plane Logs
        1. Container Infrastructure
        2. RDS
        3. DynamoDB
        4. Lambda
        5. ALB
        6. CloudFront
    2. Operational Plane
      1. Pipelines
      2. Identity Usage
    3. Data Plane
      1. Application Logs
      2. Service - Data Plane Logs
    4. High Fedility Events
  2. GenAI
    1. Canonical Model (e.g OCSF) -> Log Corelation and Pattern and Anomaly detection
    2. Writing Query based on underlying Logline Data model
    3. Analyzing and summarising the impact of Event
  3. Use-Case
    1. Identified based on Threat Models and appropritate logs lines being ingejsted
    2. Standard Operational Hygine related to Known Good Security posture
  4. Threat Domain Coverage
    1. Cloud Platform
      1. Log Lines
        1. CloudTrail
          1. Management Event
          2. Data Event
          3. Insights
        2. VPC Flow Logs
        3. DNS Query Logs
        4. CloudWatch Logs
        5. S3 - Access Logs
        6. ALB Access Logs
        7. WAF
        8. Network Firewall
        9. Personalized Health Dashboard
      2. Cloud Security Posture Management - AWS Security Hub
        1. Threat Intelligence - Amazon GuardDuty
          1. Threat Intelligence (IP & Domains)
          2. AWS Security
          3. Third Party Threat Feed Providers
          4. Proofpoint
          5. CrowdStrike
          6. Custom Threat List
          7. Anomaly Detection & Machine Learning
          8. EC2 Findings
          9. IAM Findings
          10. S3 Findings
          11. Kubernetes Findings
          12. Pivot to Amazon Detective
          13. Automated Response & Remediation
          14. Integration with AWS Security Hub
          15. EventBridge (Enrichment, Actions, Notifications)
          16. Amazon GuardDuty Partners
        2. Continious Compliance - AWS Config
          1. Configuration Item
          2. Metadata
          3. Attributes
          4. Relationships
          5. Current Configuration
          6. Resource Inventory
          7. Resource Relationship
          8. Configuration Management
          9. Configuration Drift
          10. Continuous Compliance
          11. Compliance Dashboard
          12. Security Analysis
          13. Native SQL like Query
          14. Compliance Rules
          15. Managed Rules
          16. Custom Rules
          17. Remediation
        3. Vulnerability Scanner - Amazon Inspector
          1. EC2 Scanning
          2. ECR Scanning
          3. Network Reachability
          4. Configuration Analyzed
          5. Scoring
          6. Service
          7. TCP Ports
          8. UDP ports
          9. Internet Path Rating
          10. Open path Rating
        4. Managed Threat Hunting -AmazonDetective
          1. Features
          2. Automatic Data collection
          3. Consolidate events in graph model
          4. Interactive visualization
          5. Use Cases
          6. Incident Investigation
          7. Threat Hunting
          8. Root cause analysis
          9. Behaviour Graph
          10. Entities Relationship
          11. Finding Overview
          12. Summary of findings
        5. Data Protection - Amazon Macie
          1. Data Discovery
          2. Data Classification
          3. Data Security Posture
          4. Remediation with Security Hub
        6. 8. Access Analyzer
          1. Identify resources shared with external entities
        7. 9. Firewall Manager
          1. Manage Security Groups
          2. Manage WAF ACLs
    2. Identity
      1. Directory Service
      2. Single Sign On
      3. PIM/PAM
      4. UBA - User Behavioural Analytics
    3. Operating System
      1. Memory Analysis
      2. Disk Analysis
      3. Patch Management
    4. Endpoints
      1. Anti-Virus
      2. Anti-Malware
      3. Anti Phishing
      4. WAF
    5. Application
      1. Web Application Vulnerabilities - OWASP
      2. Static Code Analysis
  5. SIEM Sizing & Log Ingestion Strategy
    1. How many log lines are considered - EPS?
      1. Frequency & volume of logs
      2. Log Structure - Data Formats
      3. Log data sources inventory
    2. Log Ingestion Latency
      1. Log ingestion mechanism
        1. Batch or Stream
        2. Parsing and Normalization
        3. Agent or API integration
    3. Data Retention in SIEM
      1. Is SIEM your data lake?
  6. Threat Management - 5 Execution Domains
    1. Identify
      1. Inventory of Assets and Vulnerabilities
    2. Detect
      1. Logging Maturity
      2. Know any Vulnerabilities are been exploited
      3. Look for IoC
        1. Threat Intel
        2. Deviation from Baseline
        3. Use-Case specific Anomaly Detection
      4. Event Identification and Alerting
      5. MTTD - MTTR
      6. Query and Log - CoRelation
    3. Investigate
      1. Root cause
      2. lateral movement
    4. Response
      1. Containment
      2. Isolation
      3. Runbook and Automation
      4. Restore
        1. RTO
        2. RPO
    5. Forensics