Episode 22 — Data Source Assessment and Collection: decide what to collect and prioritize
This episode teaches how to assess and prioritize data sources so your SOC collects the minimum set that enables strong detection and investigation outcomes, which is a core GSOM competency because many exam questions assume you must make tradeoffs under cost, bandwidth, and staffing constraints. You will define what “high-value telemetry” means by linking events to questions the SOC must answer during triage, such as who did what, from where, with what privilege, and what changed as a result. We will examine common collection categories, including identity, endpoint, network, cloud control-plane, and application logs, and explain how each category supports different detection and response tasks. Troubleshooting scenarios include over-collection that creates noise and storage pain, under-collection that makes incident scope unprovable, and gaps created by inconsistent log retention or time skew, with best practices for prioritizing coverage based on business risk and attacker behavior. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
