# Persona: Cloud-first SaaS startup
# ------------------------------------------------------------------
# A 200-person SaaS company that runs entirely in AWS + GCP, no AD,
# Okta as IdP, GSuite + Slack, all infra is Kubernetes. Strong cloud
# control-plane logging, decent identity logging, almost no endpoint
# telemetry (only laptops via lightweight EDR / Jamf Protect on Mac).
# Use this to see coverage skewed heavily toward cloud / identity
# techniques and almost nothing for traditional Windows persistence.
# ------------------------------------------------------------------
version: 1.3
file_type: data-source-administration
name: Cloud-first SaaS startup
systems:
  - applicable_to: all
    description: AWS + GCP + Kubernetes, Okta IdP, GSuite, MacOS laptops

log_sources:
  # ---- Cloud control plane (the core of this stack) ----
  - { name: aws-cloudtrail,   channel: management,      score: 5, comment: "Org Trail -> BigQuery; full IAM / config events" }
  - { name: aws-cloudtrail,   channel: data,            score: 4, comment: "S3 + Lambda data events on sensitive resources" }
  - { name: azure-activity,   channel: activity,        score: 3, comment: "Subscription activity logs (some workloads on Azure)" }

  # ---- Identity (Okta + cloud IdPs) ----
  - { name: okta,             channel: system,          score: 5, comment: "Universal directory audit + SSO events" }
  - { name: azure-signinlogs, channel: SignInLogs,      score: 4, comment: "Azure AD sign-ins for the Azure tenant" }
  - { name: azure-auditlogs,  channel: "Add user",      score: 5, comment: "Azure AD user create" }
  - { name: azure-auditlogs,  channel: "Update user",   score: 5, comment: "Azure AD user update" }
  - { name: m365,             channel: unifiedauditlog, score: 3, comment: "Sparse - mostly using GSuite" }
  - { name: application-log,  channel: generic,         score: 4, comment: "GSuite + Slack + GitHub + Jira audit -> SIEM" }

  # ---- Kubernetes (EKS + GKE audit logs) ----
  - { name: k8s-audit, channel: pods,    score: 5, comment: "Audit policy logs creates / modifies / deletes" }
  - { name: k8s-audit, channel: cluster, score: 4, comment: "Cluster-scope events" }
  - { name: docker,    channel: events,  score: 3, comment: "Container runtime events on bare nodes" }

  # ---- Mac endpoint (Jamf Protect on laptops only - no servers) ----
  - { name: sysmon, channel: "1",  score: 1, comment: "Sysmon For Linux on a few staging boxes" }

  # ---- VPC flow logs (production accounts only) ----
  - { name: zeek,    channel: conn, score: 1, comment: "Single Zeek tap; experimental" }
  - { name: netflow, channel: v9,   score: 1, comment: "VPC flow logs only on prod accounts" }