Step 2, Detection: Review access logs and data egress records for integrations connected to the affected service provider or any provider handling similar data; look for anomalous bulk data access or export events (reference T1530, T1078).
Detection & Analysis
NIST 800-61r3 §3.2.2 (log analysis and data analysis); §3.2.4 (data exfiltration indicators)
NIST 800-53 AU-12 (audit and accountability)
NIST 800-53 CA-7 (continuous monitoring)
CIS 8.2 (audit log monitoring)
CIS 8.5 (alert on unusual activity)
Compensating Control
Manually parse application logs and firewall logs using grep and awk on Unix/Linux or findstr and PowerShell on Windows. Query database access logs (if available) for SELECT queries against tables containing PII (run: 'SELECT * FROM database_audit_log WHERE table_name IN ("users", "customers", "employees") AND event_type = "SELECT" ORDER BY row_count DESC LIMIT 100'). For file share access, export SMB logs from domain controllers (Event ID 5140 = network share access) and filter by vendor service account names and timestamps around the breach discovery date ± 90 days. Use free tools: Splunk Free, Graylog Open Source, or ELK Stack to ingest logs; run queries for data volume anomalies (e.g., 'bytes_transferred > 1GB in 1 hour' per service account). Document baseline data access patterns for each vendor integration over the past 12 months before executing analysis.
Preserve Evidence
Preserve before analysis: (1) Complete Windows Event Log 4656 (file/object access attempt), 4663 (file system object access), and 5140 (network share object accessed) for the 90-day window around breach discovery; (2) application-level audit logs from database management systems (e.g., PostgreSQL pg_log, MySQL general_query_log, MSSQL error log) showing source IP, user, query type, row count, and timestamp; (3) firewall/proxy logs with source IP, destination IP, destination port, bytes in/out, and protocol for all connections to vendor infrastructure; (4) API gateway or web application firewall logs showing authentication (user/service account), endpoint, HTTP method, request size, and response size; (5) network traffic captures (PCAP files) from network taps or IDS/IPS systems for data exfiltration time windows, focusing on protocols like HTTPS POST, FTP, SFTP, or SMB to external IPs.
