Publication Peer Review

In a Zero Trust environment, logs play a critical role in the visibility and analytics cross-cutting capability. Architecturally, logs aggregate raw data from diverse sources, such as operating systems, APIs, Identity Providers, cloud providers and databases. While rich in data, logs alone do not provide actionable insights. However, when analyzed and correlated, they can reveal threats, vulnerabilities, and anomalous behavior.

Zero Trust recommends logging everything, with every pillar generating log events from its perspective. A business process would include all of five zero trust pillars, with each pillar having one or many components. This model generates a significant amount of log data. Analysing such large volumes of log data manually is challenging and not efficient.

This paper explores integrating Artificial Intelligence (AI) and Machine Learning (ML) techniques to enhance log analysis and event correlation. Traditional methods rely on analysts to write rules to detect patterns of actions for a compromise, which becomes increasingly challenging in large organizations generating vast volumes of logs. By leveraging AI/ML models, it is possible to automate pattern recognition, perform correlations, and reduce the cognitive load on Security Operations Center (SOC) teams.

While SIEM tools provide comprehensive logging and analysis features, this paper argues for a more customizable approach, enabling SOC teams to train and adapt models tailored to their specific environments. The discussion includes strategies to minimize false positives, optimize event correlation, and improve detective capabilities, providing practical insights for modern security operations.