Observation pipeline
To provide 24/7 security monitoring, the Arctic Wolf® observation pipeline ingests logs from all systems that send log data to Arctic Wolf. Then, the observation pipeline generates analyzed logs from raw log data processing. There are two types of analyzed logs:
- Observations — Generated when raw log data is parsed, normalized, enriched, and analyzed.
- Events — One or several correlated observations, generated through machine analysis using detection logic.
All analyzed logs are treated as security-relevant. However, not all analyzed logs indicate a possible threat. Log data that is not considered security-relevant is filtered out of the observation pipeline. For example, DHCP logs, wireless access point connection information, and firewall logs that are not parsed and enriched.
Arctic Wolf ingests log files as part of our Managed Detection and Response (MDR) and Managed Risk products and services. We add header information to every log line when writing raw logs into our secure S3 buckets. This header information contains key metadata about the log source. For example, we inject the date and time of log generation to enable event timeline tracking and log correlation. These processes are necessary functions of cybersecurity threat hunting services. We have no defined processes that modify raw logs after logs are written into an S3 bucket. While there is a possibility for logs to be modified at rest, we limit access to these S3 buckets to roles that need access to complete their job. We routinely audit log access to monitor the security of our S3 buckets.