All About Logs
All About Logs
Cybersecurity
Vaishali Shishodia
Introduction to Logs
Logs are detailed records of events that occur within an organization’s IT infrastructure. These
records contain information about activities performed by users, systems, applications, and
networks. They are crucial for monitoring security events, troubleshooting issues, and conducting
forensic investigations. Logs serve as digital footprints that help security teams identify suspicious
activities, track system performance, and maintain compliance with industry regulations.
Types of Logs
Logs can be categorized into different types based on their sources and functions:
a) System Logs
• Include information about system events, errors, security changes, and user activities.
• Common events: User logins/logouts, application crashes, system updates, and kernel
warnings.
b) Application Logs
• Contain details about application performance, errors, user activities, and security incidents.
• Help in tracking bugs, monitoring user interactions, and identifying malicious activities.
• Examples: Web server logs (Apache, Nginx), database logs (MySQL, PostgreSQL), application
error logs.
• Common events: HTTP requests, database queries, authentication attempts, and API calls.
c) Network Logs
• Contain details about traffic patterns, source/destination IP addresses, ports, and blocked
connections.
• Help in identifying anomalies, tracking unauthorized access, and detecting network threats.
• Common events: Network traffic flow, bandwidth usage, dropped packets, denied
connections, and intrusion alerts.
d) Security Logs
• Common events: Failed authentication attempts, firewall rule violations, system lockdown
events, and encryption key access.
e) Audit Logs
• Capture all system and user activity for compliance and governance purposes.
• Provide a historical record of changes made to systems, user permissions, and data access.
• Examples: Database audit logs, Active Directory audit logs, compliance audit logs.
• Common events: File modifications, privilege escalations, account creations, and security
policy changes.
f) Cloud Logs
• Logs generated by cloud services such as AWS, Azure, and Google Cloud.
• Help in monitoring cloud resource usage, detecting unauthorized API calls, and securing
cloud workloads.
• Examples: AWS CloudTrail, Azure Security Center logs, Google Cloud Audit logs.
• Common events: Cloud resource provisioning, API key usage, failed login attempts, and
serverless function execution.
• Logs from different sources are collected using SIEM (Security Information and Event
Management) tools.
• SOC analysts use correlation rules to detect suspicious patterns across multiple logs.
• Example: Multiple failed login attempts from different IPs could indicate a brute-force attack.
• SOC teams use threat intelligence feeds to compare logs against known attack patterns and
indicators of compromise (IOCs).
• Example: Matching an IP address from logs with a known malicious IP from a threat
intelligence database.
d) Anomaly Detection
• Machine learning and behavioral analysis techniques help identify deviations from normal
user or system behavior.
• Analysts investigate flagged security events to determine if they are genuine threats or false
positives.
a) Brute-Force Attacks
c) Malware Infections
d) Insider Threats
b) Incident Response
c) Regulatory Compliance
d) Performance Monitoring
e) Risk Management
Q: You are reviewing authentication logs and notice multiple failed login attempts from the same IP
address followed by a successful login. How would you analyze and respond to this?
A:
• First, I would examine the source IP, user account, and timestamps to confirm whether it's a
brute-force attack.
• Check the log pattern: If there are a high number of failed login attempts followed by a
successful one, it may indicate a successful brute-force attempt.
• Cross-check with threat intelligence to see if the IP is associated with known attacks.
• Verify user behavior (e.g., is the login happening from an unusual location or time?).
• If confirmed as an attack, I would block the IP, enforce multi-factor authentication (MFA),
reset compromised credentials, and update firewall rules.
Q: A firewall log shows a sudden spike in outbound traffic to an unfamiliar IP address. How would
you investigate this?
A:
• Review network traffic logs to determine which device or user generated the traffic.
• Check IDS/IPS logs for any intrusion alerts related to this IP.
• Verify DNS logs to see if the domain resolves to a known malicious server.
• Analyze SIEM correlation rules to check if this is part of a larger attack pattern.
• If identified as suspicious, I would isolate the device, analyze for malware, and implement
firewall rules to block the malicious IP.
Q: You notice in audit logs that an employee accessed a large volume of sensitive files outside of
normal working hours. What steps would you take?
A:
• Review the user's access logs to determine the nature of the accessed files.
• Compare the user’s behavior with past activities to see if this is normal or an anomaly.
• If unauthorized access is confirmed, I would alert the incident response team, revoke
excessive privileges, and investigate potential data exfiltration attempts.
4. Detecting SQL Injection via Web Server Logs
Q: A web server log contains repeated instances of unusual database queries with "OR 1=1" in the
request URL. What does this indicate, and how would you respond?
A:
• This pattern suggests an SQL injection attack attempt where an attacker tries to manipulate
SQL queries.
• I would analyze logs for other similar payloads (e.g., UNION SELECT, DROP TABLE) to confirm
the attack.
• Work with developers to implement secure coding practices like parameterized queries.
Q: Your SIEM tool alerts you to a high volume of traffic coming from multiple IP addresses to a single
web server. How would you investigate and mitigate this?
A:
• Review network logs to analyze the traffic pattern and confirm if it's a volumetric attack.
• Check if the IPs belong to a known botnet by using threat intelligence feeds.
• Monitor firewall and IDS logs to check if requests are overwhelming the server.
• Mitigation steps: Enable rate limiting, block suspicious IPs, use a CDN with DDoS protection,
and scale resources to absorb traffic.
Q: You notice unusual file encryption activity in endpoint security logs, followed by a log entry
showing files being renamed with a ".locked" extension. How would you respond?
A:
• I would immediately isolate the affected system from the network to prevent further
encryption.
• Analyze logs to determine the source of infection (e.g., phishing email, malicious file
download).
• Restore affected files from backups and update security policies to block similar attacks in
the future.
7. Privilege Escalation Detection in Windows Event Logs
Q: A Windows security log shows a standard user account executing a process with administrator
privileges (Event ID 4673). What steps would you take?
A:
• Review the account activity to determine if the user was granted elevated privileges
legitimately.
• Check for additional suspicious logs, such as Event ID 4624 (successful logins) and 4688 (new
process execution).
• Correlate with endpoint detection logs to see if malware or scripts (e.g., Mimikatz) were
executed.
• If it's unauthorized, revoke the elevated privileges, reset credentials, and monitor for further
suspicious activity.
Q: An employee reports receiving an email with an attachment that, when opened, triggered a
suspicious PowerShell script. How do you investigate?
A:
• Check email gateway logs for the sender’s IP and domain reputation.
• Check network logs to see if the system connected to a known command-and-control (C2)
server.
• If confirmed as phishing, I would block the sender, remove similar emails from mailboxes,
and educate employees about recognizing phishing attempts.
Q: You find logs showing a large volume of outbound data transfers to an external cloud storage
provider. What actions do you take?
A:
• Verify the source system and user account performing the data transfer.
• Check logs for abnormal file access patterns prior to the upload.
• Cross-reference with DLP (Data Loss Prevention) logs to determine if sensitive data was
involved.
• If unauthorized, I would terminate the connection, revoke user access, and notify
legal/compliance teams for further action.
10. Detecting Lateral Movement via Active Directory Logs
Q: You notice multiple failed login attempts from one workstation to different systems, followed by a
successful login using a high-privilege account. What does this indicate?
A:
• I would check for suspicious Event IDs in Windows logs, such as 4625 (failed logins) and 4768
(Kerberos ticket requests).
• Use SIEM to correlate logs and check if an attacker used compromised credentials to move
across the network.
Q: You detect an unauthorized device connecting to the corporate Wi-Fi, generating high traffic. How
do you handle it?
A:
• Check DHCP logs to identify the MAC address and device type.
• Review network logs to determine if it’s communicating with suspicious external IPs.
• If unauthorized, I would block the device via NAC (Network Access Control), alert IT security,
and investigate if it's an insider threat.
Q: You notice SSL/TLS logs showing multiple handshake failures and self-signed certificates being
used for connections. What does this indicate?
A:
• I would analyze network logs for unusual ARP requests and DNS hijacking attempts.
• If confirmed, I would alert the security team, force TLS encryption, and implement certificate
pinning to prevent such attacks.
Q: Cloud logs show an IAM user accessing resources from an unusual location. What steps do you
take?
A:
• Review cloud access logs (e.g., AWS CloudTrail, Azure Monitor) to confirm whether this was
an unauthorized login attempt.
• Check if MFA was used; if not, enable it immediately.
• Look for abnormal API calls (e.g., attempts to create new user accounts or modify
permissions).
• If unauthorized, revoke access, investigate the credentials used, and rotate compromised
keys.
Q: A third-party software update log shows the installation of an unsigned package on multiple
systems. What do you do?
A:
• Check for new network connections from affected devices to unknown servers.
• If identified as a supply chain attack, I would roll back the update, isolate affected systems,
and notify vendors for remediation.
Q: DNS logs reveal frequent requests to a domain with a randomized name structure. How do you
analyze this?
A:
• This could indicate Domain Generation Algorithm (DGA) activity, commonly used in
malware C2 communication.
• I would check threat intelligence sources to see if the domain is linked to known malware.
• Analyze the endpoint that made these requests to check for signs of compromise.
• Block the domain at the firewall level and initiate a malware scan on the infected system.