A-006 - Monitoring & Detection

Purpose

Provide visibility over system activity, security-relevant events and potential malicious behavior across the Scheol environment.

This capability supports detection of incidents, validation of controls and overall situational awareness.

Asset Type

Business Capability

Description

Monitoring & Detection covers the mechanisms used to observe infrastructure, collect logs and identify abnormal or suspicious activity.

At the current stage, monitoring is limited and mostly decentralized:

system and application logs are stored locally on individual hosts
no centralized log aggregation or correlation is in place
detection capabilities are minimal and largely manual

A centralized monitoring and detection stack (e.g. SIEM with log forwarding and correlation) is planned but not yet implemented.

Criticality

High

Monitoring is essential for:

detecting security incidents
validating control effectiveness
supporting investigation and response

Current limitations reduce the ability to detect and respond to threats in a timely manner.

Sensitivity

Sensitive

This asset involves:

log data (system, application, authentication)
operational and security events
potentially sensitive traces of user or system activity

Exposure Level

Internal only

Monitoring data is not exposed externally and remains local to each system.

However, lack of centralization reduces control over access and integrity of logs.

Trust Zone

Hybrid

Monitoring concerns:

Heaven (VPS logs, exposed services)
Hell (internal infrastructure, future SOC components)

Dependencies

All infrastructure and platform assets (log sources)
System logging mechanisms (syslog, application logs)
Future SIEM / monitoring stack (planned)
Network connectivity for log forwarding (planned)

Relationships

Identity & Access Management (authentication logs)
Administrative Access (privileged activity tracking)
All application and infrastructure assets
Future SOC components (Wazuh, TheHive, Cortex)

Security Position (Architecture Context)

Detection layer of the security model
Provides visibility across trust boundaries
Critical for validating controls and identifying compromise

Current structural weaknesses:

absence of centralized logging
no correlation or alerting capability
limited detection coverage
high dependency on manual review

Existing Protective Measures

Local system and application logs
Basic logging enabled on services (SSH, web, databases)

Limitations:

no log centralization
no integrity guarantees on logs
no automated detection or alerting
no unified visibility across assets

Owner / Responsibility

Security Role (Sec)

Notes

Monitoring & Detection is currently in an early and fragmented state.

Planned improvements include:

deployment of centralized logging and SIEM capabilities (e.g. Wazuh)
implementation of log forwarding from all systems
introduction of detection rules and alerting mechanisms
improved visibility across administrative and exposed components

This asset is critical for progressing toward a more mature and defensible security posture.

Purpose​

Asset Type​

Description​

Criticality​

Sensitivity​

Exposure Level​

Trust Zone​

Dependencies​

Relationships​

Security Position (Architecture Context)​

Existing Protective Measures​

Owner / Responsibility​

Notes​