In today's sprawling digital landscape, relying solely on endpoint detection is like guarding only one door while leaving the rest of the building wide open. As Unit 42 emphasizes, a robust security posture demands visibility across every IT zone—cloud, network, identity, and beyond. To truly catch sophisticated threats, you must tap into diverse data sources that reveal hidden movements and anomalies. This listicle explores ten essential data sources that extend detection capabilities far beyond the endpoint, helping you uncover attacks in progress and strengthen your overall defense strategy.
1. Network Flow Logs (NetFlow & IPFIX)
Network flow logs provide a high-level view of all traffic entering and leaving your environment, including metadata like source/destination IPs, ports, and protocols. Unlike deep packet inspection, flow logs are lightweight and scalable, making them ideal for baseline establishment and anomaly detection. By analyzing flow data, security teams can spot unusual data transfers, command-and-control callbacks, or lateral movement between segments. Why it matters: without endpoint visibility (e.g., on IoT or ephemeral cloud instances), flow logs become a primary detection source. Integrate with your SIEM to correlate flow anomalies with other signals. Unit 42 recommends combining flow data with endpoint telemetry for a complete picture.
2. Cloud Audit Logs
Cloud service providers (AWS CloudTrail, Azure Monitor, GCP Cloud Audit Logs) record every API call, configuration change, and resource creation. These logs are goldmines for detecting unauthorized access, misconfigurations, or privilege escalation in cloud environments. For instance, a sudden spike in IAM role assumption or a change to security group rules may indicate an attacker manipulating infrastructure. Leverage these to monitor for indicators of compromise (IOCs) that aren't visible on endpoints—like a new VM deployed with a cryptominer image. Enable comprehensive logging across all accounts and use automation to flag high-risk actions.
3. Identity and Authentication Logs (AD, Azure AD, Okta)
Identity is the new perimeter. Logs from Active Directory, Azure AD, or third-party IdPs like Okta reveal authentication attempts, account changes, and group memberships. Attackers often use stolen credentials to move laterally—detecting an impossible travel login (e.g., from New York and London within 5 minutes) is a classic indicator. Focus on: failed logins, privilege escalations, and service principal modifications. Correlate identity logs with network data to spot pass-the-hash or Kerberoasting attacks. These signals are critical because they operate outside the endpoint's scope.
4. DNS Query Logs
DNS logs are a powerful source for detecting malicious domains, data exfiltration via DNS tunneling, or command-and-control (C2) communication. Since many security tools ignore DNS traffic at scale, attackers exploit it. By collecting DNS query logs from your recursive resolvers, you can build threat intelligence feeds and block known bad domains. Actionable steps: implement DNS sinkholing for suspicious domains, and analyze query frequency or TTL anomalies. Unit 43 research has shown that DNS logs often catch threats that evade endpoint detection, especially when malware uses domain generation algorithms (DGAs).
5. Email Security Logs (SMTP, Exchange, O365)
Phishing remains the top initial access vector. email logs track sender, recipient, subject, headers, and attachment metadata. By analyzing email traffic patterns—like mass internal emails from a compromised account or unusual forwarding rules—you can detect account takeovers. Key metrics: spam scores, authentication results (SPF, DKIM, DMARC), and link clicks. Integrate email logs with your SOAR to automatically isolate compromised mailboxes. Remember, the endpoint may be healthy while the attacker controls the inbox.
6. Proxy and Web Gateway Logs
Proxy logs provide visibility into outbound web requests, including URLs, user agents, and response sizes. Security teams can identify rogue software phoning home, malware downloads, or policy violations (e.g., access to shadow IT). Use cases: block known malicious URLs in real time, inspect SSL/TLS traffic for hidden threats, and monitor uncategorized domains. Proxy data fills the gap when endpoint agents aren't present (e.g., BYOD) or when encrypted traffic bypasses endpoint inspection.
7. Threat Intelligence Feeds (OSINT & Commercial)
While not a raw log source, integrating threat intelligence feeds (e.g., AlienVault OTX, VirusTotal, MISP) enriches detection beyond endpoints. Feeds provide indicator lists (IPs, domains, hashes) that can be matched against your logs. Be strategic: prioritize feeds relevant to your industry and automate ingestion into SIEM or TIP. However, rely on context—raw alerts from feeds can cause noise. Combine with local telemetry to reduce false positives. Unit 42 often stresses that quality over quantity matters for threat intel.
8. API and Microservices Logs
Modern applications rely heavily on APIs, which are often outside traditional endpoint coverage. API gateways and service meshes generate logs detailing requests, responses, authentication, and rate limiting. Attackers exploit API vulnerabilities (e.g., broken object-level authorization) to access data without touching an endpoint. Watch for: unusual payloads, repeated 403 errors, or spikes in data retrieval. Monitor API latency anomalies—they can indicate data exfiltration. Since APIs are the glue of digital business, their logs are essential for detection.
9. Physical Security and IoT Logs
Beyond IT, physical security systems (badge readers, CCTV) and IoT devices (sensors, printers, smart locks) generate logs that can reveal insider threats or physical breaches. For example, a badge access at odd hours combined with network anomaly may signal a malicious insider. Integration: feed these logs into your security operations platform to correlate physical and digital events. While not traditional, these sources extend detection to the physical realm—especially for critical infrastructure or office environments.
10. Network Packet Capture (PCAP) & Zeek Logs
When deeper investigation is needed, full packet capture or Zeek (formerly Bro) logs provide granular details about network conversations—actual payloads, file transfers, TLS handshakes. Unlike flow logs, PCAP allows forensic reconstruction of attacks. Use selectively due to storage costs; trigger PCAP on suspicious flows via detection tools. Zeek logs (conn, ssl, dns, etc.) offer structured metadata without full packet storage. This data source is invaluable for incident response and hunting advanced persistent threats that evade endpoint sensors.
Conclusion
Endpoint detection remains crucial, but it's no longer enough. The modern threat landscape demands visibility across all IT zones—network, cloud, identity, email, and beyond. By leveraging these ten data sources, security teams can detect attacks earlier, reduce blind spots, and mount a cohesive defense. As Unit 42 highlights, a comprehensive strategy that spans every IT zone is not optional—it's essential. Start by inventorying which logs you're already collecting and where gaps exist. Then systematically integrate these sources into your detection pipeline. Remember: every blind spot is an opportunity for an attacker. Broaden your view and stay ahead.