A complete checklist for ensuring your organisation can see, detect, and understand what is happening across its systems, networks, identities, and cloud environments.
[ ] Visibility and monitoring strategy documented and approved
[ ] Clear ownership for monitoring (SOC, IT, SecOps)
[ ] Monitoring aligned with risk register and threat model
[ ] MITRE ATT&CK used to map detection coverage
[ ] KPIs defined (MTTD, MTTR, alert volume, false positives)
[ ] Regular reporting to leadership
[ ] Centralised logging platform in place (SIEM/SOC)
[ ] Logs collected from:
Endpoints
Servers
Firewalls
Cloud platforms
Identity providers
Applications
Databases
Network devices
[ ] Log retention meets regulatory requirements
[ ] Logs protected from tampering
[ ] Time synchronisation (NTP) enforced across systems
[ ] EDR/XDR deployed on all endpoints
[ ] Behaviour‑based detection enabled
[ ] Visibility into:
Process execution
Script activity (PowerShell, Bash, Python)
File modifications
Registry changes
USB usage
[ ] Automated isolation capability enabled
[ ] Endpoint alerts integrated with SIEM
[ ] IDS/IPS deployed and tuned
[ ] Network traffic analysis (NetFlow/NTA) enabled
[ ] DNS logging and filtering enabled
[ ] Visibility into:
East‑west traffic
North‑south traffic
Encrypted traffic patterns
[ ] Alerts for:
Port scanning
Beaconing
Lateral movement
Data exfiltration
[ ] Network segmentation monitored
[ ] Identity logs collected (Azure AD, Okta, AD, IAM)
[ ] Alerts for:
Impossible travel
MFA fatigue attacks
Privilege escalation
New admin accounts
Multiple failed logins
[ ] Conditional Access logs monitored
[ ] Privileged Access Management (PAM) monitored
[ ] Service account activity tracked
[ ] Cloud audit logs enabled (AWS CloudTrail, Azure Activity Logs, GCP Audit Logs)
[ ] CSPM (Cloud Security Posture Management) enabled
[ ] Alerts for:
Public bucket exposure
Suspicious API calls
Key misuse
Region anomalies
Disabled logging
[ ] Cloud workload protection (CWPP) deployed
[ ] Cloud identity activity monitored
[ ] Application logs centralised
[ ] API gateway logging enabled
[ ] WAF logs monitored
[ ] Alerts for:
SQL injection attempts
XSS attempts
Authentication bypass
High‑volume API calls
Token misuse
[ ] Runtime Application Self‑Protection (RASP) considered
[ ] Advanced email threat protection enabled
[ ] Alerts for:
Phishing
Spoofing
Malicious attachments
Business Email Compromise (BEC)
[ ] DMARC, DKIM, SPF monitored
[ ] User‑reported phishing integrated into SOC workflow
[ ] External threat feeds integrated
[ ] IOCs automatically ingested into SIEM
[ ] Threat intel used to tune detection rules
[ ] Dark‑web monitoring enabled (if applicable)
[ ] Regular threat‑hunting exercises conducted
[ ] Intelligence mapped to MITRE ATT&CK
[ ] Alerts triaged using defined severity levels
[ ] Automated response actions configured where safe
[ ] Escalation paths documented
[ ] SOC playbooks in place for:
Malware
Ransomware
Identity compromise
Cloud compromise
Data exfiltration
[ ] Incident response integrated with monitoring
[ ] Post‑incident reviews conducted
[ ] Detection rules reviewed monthly
[ ] False positives analysed and reduced
[ ] New threats added to detection coverage
[ ] SOC maturity assessed annually
[ ] Staff trained on new threat trends
[ ] Monitoring gaps documented and addressed