Threat Detection Bad Trips: Log Everything!
Alright, this is a public service for SIEM engineers. How many times you've heard that answer when someone asks 'What should be logged?' and how hard is it today to predict the outcome of over-logging?
Disclaimer: all opinions here are applicable to enterprise, corporate environments only. That's where most of my experience comes from. It doesn't apply to SMBs or military environments, for instance.