0% found this document useful (0 votes)
52 views34 pages

Security Operations

A Security Operations Center (SOC) is a centralized unit that monitors, detects, analyzes, and responds to cybersecurity threats, ensuring continuous protection of an organization's IT infrastructure. SOCs utilize various tools and frameworks to provide incident detection, threat intelligence, compliance management, and continuous improvement of security measures. Different SOC models, such as SOC-as-a-Service and Dedicated SOC, cater to varying organizational needs and capabilities.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
52 views34 pages

Security Operations

A Security Operations Center (SOC) is a centralized unit that monitors, detects, analyzes, and responds to cybersecurity threats, ensuring continuous protection of an organization's IT infrastructure. SOCs utilize various tools and frameworks to provide incident detection, threat intelligence, compliance management, and continuous improvement of security measures. Different SOC models, such as SOC-as-a-Service and Dedicated SOC, cater to varying organizational needs and capabilities.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 34

SECURITY OPERATIONS:

https://www.wallarm.com/what/security-operations-center-soc

SOC stands for Security Operations Center. It is a centralized unit that continuously
monitors, detects, analyzes, and responds to cybersecurity threats in an organization. SOC
teams use various security tools, processes, and technologies to protect an organization's IT
infrastructure, data, and users from cyberattacks.

Why Do We Need SOC?

1. Centralized Security Monitoring


A SOC ensures 24/7 surveillance of an organization’s IT environment, continuously
monitoring systems, networks, and applications to detect and respond to cyber threats
in real time.
2. Incident Detection & Response
Using advanced tools like SIEM (Security Information and Event Management), SOC
teams identify suspicious activities, analyze threats, and take immediate action to
prevent security breaches.
3. Threat Intelligence and Analysis
SOC teams collect and analyze threat intelligence data to identify vulnerabilities,
detect attack patterns, and enhance cybersecurity defenses against emerging threats.
4. Compliance & Regulatory Requirements
To meet industry regulations such as GDPR, HIPAA, and ISO 27001, a SOC ensures
that security policies, procedures, and data protection measures align with legal and
compliance requirements.
5. Incident Investigation and Forensics
When security incidents occur, SOC teams conduct forensic investigations to
determine the root cause, assess the impact, and implement corrective measures to
prevent future occurrences.
6. Continuous Improvement and Optimization
A SOC continuously enhances security strategies by learning from past incidents,
refining detection techniques, and optimizing security measures to strengthen overall
cybersecurity resilience.

FRAMWORKS OF SOC:

Here’s how a Security Operations Center (SOC) works based on the key framework
components:

1. Availability
SOC ensures that critical systems, applications, and networks remain operational and
always accessible. To prevent disruptions, it implements measures such as
redundancy, failover mechanisms, and DDoS protection.
2. Security
The SOC safeguards an organization's IT infrastructure against cyber threats by
implementing firewalls, intrusion detection systems (IDS), encryption, and real-time
monitoring. It also responds to security incidents to minimize damage.
3. Confidentiality
Protecting sensitive data is a key responsibility of a SOC. It enforces access controls,
identity management, and encryption techniques to ensure that only authorized
personnel can access confidential information.
4. Processing
SOC oversees the secure processing of data, ensuring that integrity is maintained
throughout data transmission and storage. It implements security policies to prevent
unauthorized alterations or data corruption.
5. Privacy
Ensuring data privacy involves compliance with regulations like GDPR and HIPAA.
SOC teams monitor and control data access, ensuring that personal and sensitive
information is handled securely without unauthorized exposure.

FUNCTIONS OF SOC:

1. Monitoring
o SOC continuously monitors network traffic, system logs, and security events
using SIEM (Security Information and Event Management) tools.
o This helps detect unusual activities and potential security threats in real-time.
2. Detection
o By analyzing behavior patterns and comparing them with known threat
intelligence, SOC identifies anomalies and signs of malicious activity such
as phishing, malware, and unauthorized access.
3. Response
o Once a threat is detected, SOC teams take immediate action to mitigate risks
by isolating affected systems, blocking malicious IPs, and applying security
patches.
4. Analysis
o A thorough post-incident analysis is conducted to determine the root cause of
a security breach.
o SOC evaluates the impact of the attack and develops strategies to prevent
similar incidents in the future.
5. Reporting
o SOC maintains detailed security logs and reports for compliance with
standards such as ISO 27001, GDPR, and HIPAA.
o These reports help improve security measures, support forensic investigations,
and assist in regulatory audits.

SOC Models and Types

SOC models are structured based on the size, security needs, and operational capabilities
of an organization. Below are the key SOC models used across industries:

1. SOC-as-a-Service (SOCaaS)
🔹 Description: A fully outsourced SOC where a third-party provider handles threat
detection, response, and monitoring on behalf of an organization.
🔹 Best For: Small to mid-sized businesses that need cybersecurity without investing in
infrastructure.
🔹 Advantages:
✔️Cost-effective compared to a dedicated SOC
✔️24/7 monitoring and expert security support
✔️Quick deployment without requiring in-house staff
🔹 Challenges:
❌ Limited control over security operations
❌ Dependency on third-party expertise and response times

2. Multifunction SOC/NOC (SOC + NOC Integration)

🔹 Description: A combined Security Operations Center (SOC) and Network Operations


Center (NOC) to manage both network performance and cybersecurity.
🔹 Best For: Organizations that want to optimize IT operations and security in a unified
environment.
🔹 Advantages:
✔️Improves efficiency by combining IT and security monitoring
✔️Reduces operational costs by sharing resources
✔️Faster response to cyber incidents and network failures
🔹 Challenges:
❌ Security and network teams may have conflicting priorities
❌ Requires highly skilled personnel to manage both operations

3. Co-Managed or Hybrid SOC

🔹 Description: A mix of in-house security operations and third-party security services,


where organizations handle some functions while outsourcing others.
🔹 Best For: Businesses that want partial control over security but need external expertise
for advanced threats.
🔹 Advantages:
✔️Balances security control and cost savings
✔️Access to advanced threat intelligence and cybersecurity expertise
✔️Scalable as security needs evolve
🔹 Challenges:
❌ Requires coordination between internal and external teams
❌ Response time may vary based on responsibility distribution

4. Dedicated SOC

🔹 Description: A fully in-house SOC, built and operated by the organization with its own
cybersecurity team, tools, and infrastructure.
🔹 Best For: Large enterprises and government organizations that require complete
security control.
🔹 Advantages:
✔️Full control over security policies and response plans
✔️Faster incident detection and mitigation
✔️Can be customized to meet organizational needs
🔹 Challenges:
❌ High cost of setup and maintenance
❌ Requires highly skilled security professionals

5. Command SOC (Global SOC)

🔹 Description: A centralized SOC that oversees multiple regional or local SOCs, ensuring
standardized security policies and incident response coordination across an enterprise.
🔹 Best For: Multinational corporations and large enterprises with global security
operations.
🔹 Advantages:
✔️Ensures consistent security across all locations
✔️Facilitates intelligence sharing between regional SOCs
✔️Better coordination during global security incidents
🔹 Challenges:
❌ High cost and complexity in managing multiple locations
❌ Requires advanced security automation and expertise

Which SOC Model Should You Choose?

✅ Startups & SMBs → SOC-as-a-Service (SOCaaS)


✅ Enterprises with IT & Security Focus → Multifunction SOC/NOC
✅ Companies Seeking Flexibility → Co-Managed/Hybrid SOC
✅ Large Enterprises & Governments → Dedicated SOC
✅ Multinational Corporations → Command SOC

NOC:

NOC (Network Operations Center) is a centralized location where IT professionals


monitor, manage, and maintain an organization's network infrastructure. The primary goal of
a NOC is to ensure network performance, availability, and security by detecting and
resolving network issues in real-time.

Key Functions of a NOC:

1. Network Monitoring & Maintenance: Continuous monitoring of network traffic,


bandwidth, and overall performance to ensure smooth operations.
2. Incident Detection & Troubleshooting: Identifying and resolving connectivity
issues, hardware failures, and performance bottlenecks.
3. System & Server Management: Managing network devices, servers, routers, and
switches to ensure uptime and reliability.
4. Security & Threat Management: Detecting cybersecurity threats such as DDoS
attacks, unauthorized access, and malware to protect network integrity.
5. Performance Optimization: Ensuring network efficiency by analyzing traffic
patterns, reducing latency, and optimizing bandwidth usage.
6. Disaster Recovery & Backup: Implementing backup solutions and disaster recovery
plans to restore services in case of failures.
Difference Between NOC and SOC:

 NOC (Network Operations Center) focuses on network health, performance, and


connectivity.
 SOC (Security Operations Center) focuses on cybersecurity, threat detection, and
incident response.
 The NOC ensures that the network infrastructure is functional and optimized.
 The SOC protects the network from cyber threats and ensures data security.
 Both teams collaborate to handle incidents such as DDoS attacks, network breaches,
or malware outbreaks.
 SOC provides the centralised monitoring

WORK FLOW OF SOC:

Here’s how a Security Operations Center (SOC) functions based on these key areas:

1. Threat Monitoring and Detection

 SOC teams continuously monitor systems, networks, and applications using SIEM
(Security Information and Event Management) and other security tools.
 They analyze logs, detect anomalies, and identify potential cyber threats such as
malware infections, unauthorized access, or unusual behavior.

2. Incident Response and Investigation

 When a security incident is detected, SOC teams follow a structured Incident


Response Plan (IRP) to assess the threat level.
 They analyze attack patterns, classify threats, and determine the best course of action
to minimize damage.

3. Threat Containment and Eradication

 SOC teams isolate affected systems, block malicious IPs, and remove infected files to
prevent further spread and also patch the software and follow the appropriate process
and make sure we update our system and remove the malicious Advanced tools like
EDR (Endpoint Detection and Response) help eliminate persistent threats and
restore system integrity.

4. Forensic Analysis & Root Cause Investigation

 After containing an attack, forensic experts analyze logs, network traffic, and digital
evidence to determine the origin of the breach and how it occurred.
 They use threat intelligence to understand attacker tactics, techniques, and
procedures (TTPs).

5. Reporting & Compliance Management


 SOC generates reports on security incidents, response actions, and lessons learned for
internal teams and regulatory authorities.
 It ensures compliance with security standards such as GDPR, HIPAA, ISO 27001,
and NIST by maintaining audit logs and security documentation.

SOC Teams and Roles and Responsibilities

https://www.infosectrain.com/blog/role-and-responsibilities-of-a-soc-analyst/

SOC Analyst Level 1 (L1) – First Line of Defence

🔹 Primary Focus: Monitor network and system activity for potential security threats using
SIEM (Security Information and Event Management) tools.

🔹 Key Responsibilities:
✔️Alert Handling:

 Acts as the first responder to security alerts.


 Differentiates between real threats and false positives.

✔️Initial Threat Assessment:

 Conducts basic investigation of security incidents.


 Uses threat intelligence feeds and security logs to identify potential attacks.
 Escalates confirmed threats to L2 analysts if further action is needed.

✔️Incident Logging & Reporting:

 Maintains detailed records of security alerts and responses.


 Creates incident reports to assist in forensic analysis.

✔️Continuous Monitoring:

 Works 24/7 in rotating shifts to monitor security dashboards.


 Ensures that any suspicious activity is flagged immediately.

Phishing vs. Pharming

https://www.valimail.com/resources/guides/guide-to-phishing/phishing-vs-pharming/

Pharming (a play on the words “phishing” and “farming”) occurs when an attacker alters your
computer or router’s settings to redirect legitimate users to malicious sites. In a pharming
attack, the attacker changes how your computer resolves domain names to IP addresses. To
do so, they must infect your computer or router with malware that modifies the DNS
settings.

Because it doesn’t require the attacker to interact directly with the victim, pharming can be
even more dangerous than conventional phishing. A key difference between pharming vs.
phishing is that pharming requires an attacker to gain unauthorized access to a system, while
phishing only requires successful social engineering.

As a SOC Analysts you have just received a security alert, that is talking about the phishing
attack on the basis of the phishing attack, the victim he has clicked on the link and once he
has clicked on that link he visited that site and he provided those credential you have to
perform the investigation and you have to find the information what happened over there

SIEM Tools

Security Information and Event Management (SIEM) tools are crucial for monitoring,
detecting, and responding to security incidents in real-time. Below are some of the leading
SIEM tools used in cybersecurity:

1. SPLUNK

Overview:

 Splunk is one of the most widely used SIEM tools for data analysis, log management,
and security monitoring.
 It allows organizations to collect, index, and analyze machine-generated data from
various sources, including logs, applications, servers, and network devices.

Key Features:

 Real-time monitoring and alerting based on custom security rules.


 Powerful search and query capabilities for logs and security events.
 Advanced analytics with machine learning to detect anomalies and threats.
 Scalable architecture to handle large volumes of data.
 Integration with various security tools (e.g., firewalls, intrusion detection systems).

Use Case:

 Suitable for organizations that need to collect massive volumes of data and require
advanced log analysis and reporting.

2. IBM QRADAR

Overview:

 QRadar is IBM's SIEM platform designed to provide real-time visibility, threat


detection, and incident response.
 It integrates with security data sources and provides comprehensive security
analytics.

Key Features:

 Automated incident detection and correlation.


 Flow processing: Analyzes network traffic for unusual patterns.
 Pre-built integrations with thousands of log sources and devices.
 Risk-based alerting to prioritize incidents based on severity and impact.
 Forensic investigation tools for analyzing security incidents.
 Built-in SOAR (Security Orchestration, Automation, and Response) capabilities.

Use Case:

 Ideal for large organizations with complex IT environments that need


comprehensive threat detection and incident response.

3. Microsoft Sentinel (Azure Sentinel)

Overview:

 Azure Sentinel is a cloud-native SIEM tool from Microsoft designed to provide real-
time security analytics and monitoring using AI and machine learning.
 It integrates seamlessly with Microsoft products and other third-party security
solutions.

Key Features:

 Cloud-native architecture for scalability and flexibility.


 Built-in machine learning for automatic anomaly detection and risk identification.
 Automated responses and playbooks for threat mitigation.
 Integration with Azure services and other cloud environments.
 Centralized security monitoring for hybrid and multi-cloud environments.

Use Case:
 Perfect for organizations already using Microsoft services or those with a cloud-
first strategy, especially those operating in multi-cloud environments.

4. Google Chronicle

Overview:

 Google Chronicle is a cloud-based SIEM platform built by Google to provide


advanced threat detection and security data analysis.
 It leverages Google’s expertise in big data analytics to handle high volumes of
security logs and events.

Key Features:

 Cloud-first SIEM solution for scalable data storage and analysis.


 Integration with Google Cloud and other security tools.
 Advanced threat intelligence powered by Google’s capabilities in machine learning
and data analytics.
 Fast search and analytics capabilities for incident investigation.
 Long-term data retention to perform historical analysis and threat hunting.

Use Case:

 Suitable for large enterprises that need to process massive amounts of security data
with a focus on cloud-based infrastructure and threat intelligence.

5. ArcSight (Micro Focus ArcSights

Overview:

 ArcSight by Micro Focus is a comprehensive SIEM solution designed for large


enterprises, providing real-time threat detection, security monitoring, and
compliance reporting.
 ArcSight offers a robust set of analytics for monitoring security across enterprise
networks.

Key Features:

 Real-time event correlation and threat detection.


 Advanced analytics with machine learning to identify security incidents.
 Scalable architecture for enterprise environments.
 Integration with multiple security technologies such as firewalls, intrusion
detection systems, and endpoint protection.
 Compliance reporting for regulatory standards like GDPR, PCI-DSS, and HIPAA.

Use Case:

 Suitable for large organizations requiring a mature SIEM solution for


comprehensive threat management and compliance reporting.
6.OSSIM (Open Source Security Information Management)

Overview:

 OSSIM is an open-source SIEM tool developed by AT&T Cybersecurity (formerly


AlienVault). It is designed to provide security monitoring, incident detection, and
response capabilities without the need for a high-cost enterprise solution.
 OSSIM integrates several essential open-source security tools and frameworks to
offer comprehensive threat management, log aggregation, and monitoring.

Comparison of Key Features:

Microsoft Google
Feature SPLUNK QRADAR ArcSight
Sentinel Chronicle
Real-time monitoring Yes Yes Yes Yes Yes
Cloud-native No No Yes Yes No
Machine learning Yes Yes Yes Yes Yes
Integration with 3rd
High High High High High
party tools
Scalability High High High Very High High
Automation & SOAR Limited Yes Yes Limited Yes
Compliance Reporting Yes Yes Yes Yes Yes
Advanced Threat
Yes Yes Yes Yes Yes
Intelligence

Choosing the Right SIEM Tool:

 SPLUNK: Ideal for data-heavy organizations needing a powerful search engine and
flexibility in data analysis.
 QRADAR: Best for large enterprises that require a comprehensive and automated
incident response.
 Microsoft Sentinel: Perfect for cloud-native environments or organizations heavily
invested in Microsoft services.
 Google Chronicle: Excellent for organizations processing large amounts of
security data that need advanced analytics in a cloud-first environment.
 ArcSight: Great for mature enterprises needing a robust, traditional SIEM
solution with advanced security analytics and compliance reporting.

Threat Intelligence Tools

Threat intelligence (TI) tools provide essential information about potential cyber threats,
helping organizations detect, analyze, and mitigate attacks more effectively. These tools
use data about past attacks, vulnerabilities, and threats to provide actionable intelligence.
Below are some of the popular threat intelligence platforms:

1. VirusTotal

Overview:

 VirusTotal is a free online service that scans files, URLs, and IP addresses using a
large number of antivirus engines and tools.
 It is widely used to check whether files or URLs are flagged as malicious.

Key Features:

 File scanning: Upload and scan files for malicious content (viruses, trojans, etc.).
 URL scanning: Check if URLs are associated with phishing or malware.
 Malware reports: Provides detailed analysis on files and URLs, including which
antivirus engines flagged them.
 Community feedback: VirusTotal’s public report system allows users to see and
contribute to analysis of suspicious files/URLs.

Use Case:

 Ideal for analyzing files, URLs, and IP addresses to check if they are part of known
malware or phishing campaigns.

2. Open Threat Exchange (OTX) by AlienVault

Overview:

 OTX is a community-driven threat intelligence platform provided by AlienVault


(now part of AT&T Cybersecurity). It provides indicators of compromise (IOCs) and
threat data shared by the global security community.

Key Features:

 IOC sharing: Allows users to share and access IOCs such as IPs, domains, file
hashes, and URLs.
 Real-time threat intelligence: The platform gathers real-time threat data from
multiple sources.
 API integration: Easily integrates with SIEM tools for automated threat detection.
 Threat analysis: Provides insights on malware campaigns, phishing, and other threat
activities.

Use Case:

 Excellent for organizations looking for collaborative threat intelligence and to stay
updated on global threat trends.

3. MITRE ATT&CK

Overview:
 MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a
knowledge base that documents adversary tactics, techniques, and procedures (TTPs)
based on real-world observations.
 It’s a framework that helps organizations understand how attackers operate and
map threats to specific techniques.

Key Features:

 Threat modeling: Provides a comprehensive set of TTPs used by threat actors.


 Threat detection: Helps map security controls to the ATT&CK framework for
improved detection of known attack methods.
 Red teaming: Used by red teams and incident response teams for simulating attack
scenarios.
 Regular updates: The framework is regularly updated to reflect new tactics and
techniques used by adversaries.

Use Case:

 Essential for organizations to understand attack lifecycle and improve defense


strategies using a behavioral-based framework.

4. MISP (Malware Information Sharing Platform & Threat Sharing)

Overview:

 MISP is an open-source threat intelligence platform that facilitates sharing, storing,


and correlating structured threat data such as IOCs, tactics, and malware samples.
 It is primarily used for sharing intelligence in a community-driven way.

Key Features:

 Structured threat data: Supports the sharing of data in formats such as OpenDXL,
STIX, and CybOX.
 Collaboration: Enables collaboration between organizations to share and enrich
threat intelligence.
 Threat data correlation: Correlates different threat intelligence sources to identify
patterns and relationships.
 API and integrations: Integrates with other security tools like SIEMs, firewalls, and
endpoint protection.

Use Case:

 Perfect for organizations in need of a collaborative and open-source threat


intelligence platform for sharing actionable data.

5. IBM X-Force Exchange

Overview:
 IBM X-Force Exchange is a cloud-based threat intelligence platform offering access
to a vast database of security incidents, vulnerabilities, and threat data collected by
IBM’s X-Force team.

Key Features:

 Global threat intelligence: Provides access to a comprehensive collection of


security data, including vulnerabilities, malware, and attack techniques.
 Real-time threat feeds: Offers real-time feeds on emerging threats and trends.
 Customizable alerts: Allows users to set up alerts for specific threat actors or attack
techniques.
 Actionable intelligence: Offers insights into potential risks and strategies for
mitigating them.

Use Case:

 Ideal for enterprises looking for high-quality threat intelligence to help with
proactive defense and incident response.

6. AlienVault Threat Intelligence (now part of AT&T Cybersecurity)

Overview:

 AlienVault Threat Intelligence is a comprehensive threat intelligence service that


aggregates data from various sources, including open-source feeds, commercial threat
data providers, and the AlienVault community.
 The data is used to detect and respond to advanced persistent threats (APTs) and
other complex attack techniques.

Key Features:

 Threat intelligence feeds: Provides real-time feeds on emerging threats, attack


tactics, and IOCs.
 Unified security platform: It integrates with SIEM and intrusion detection
systems (IDS) to enhance threat detection.
 Attack intelligence: Provides detailed analysis on how attacks occur, the tools used,
and how to defend against them.
 Integration with AT&T Cybersecurity tools**: Provides seamless integration with
other AT&T security products.

Use Case:

 Best suited for organizations needing a comprehensive, commercial threat


intelligence feed with integrated detection capabilities.

7. Mandiant (FireEye)

Overview:
 Mandiant (acquired by FireEye) is a leading cybersecurity firm providing
advanced threat intelligence services to help organizations detect and respond to
sophisticated attacks such as APTs, ransomware, and nation-state cyber activities.

Key Features:

 Real-time threat intelligence: Provides real-time alerts on emerging threats and


campaigns.
 Incident response: Mandiant helps organizations with forensic investigations and
response during and after cyberattacks.
 Advanced threat analysis: Focuses on sophisticated cyber threats and APTs.
 Expert insights: Leverages insights from cybersecurity experts to provide tailored
intelligence and analysis.

Use Case:

 Best for organizations needing advanced threat intelligence for high-value targets
or those at risk of sophisticated, targeted attacks (e.g., nation-state threats, APT
actors).

Choosing the Right Tool:

 For quick file/URL scanning: Use VirusTotal.


 For collaborative sharing and community-driven intelligence: Use OTX or MISP.
 For threat modeling and detection: Use MITRE ATT&CK.
 For real-time global threat feeds and enterprise intelligence: Use IBM X-Force
Exchange or AlienVault.
 For dealing with advanced persistent threats (APT) or targeted attacks: Use Mandiant
(FireEye).

Endpoint Security Tools

1. Carbon Black
Overview:
 Carbon Black is an endpoint security solution that uses cloud-native technology to
provide continuous monitoring and incident response capabilities. It focuses on
behavioral analysis to detect and prevent cyber threats in real-time.

Key Features:

 Behavioral Endpoint Protection: Detects and prevents advanced persistent threats


(APTs) using advanced behavioral analytics.
 Real-time Detection: Provides real-time monitoring of endpoint activities and
security events.
 Threat Hunting: Allows security teams to conduct proactive investigations into
endpoints.
 Incident Response: Offers in-depth analysis and forensics to help in the investigation
of attacks.
 Cloud-Native Platform: Supports scalable deployments with a focus on cloud-based
endpoints.

Use Case:

 Ideal for organizations needing a next-gen endpoint protection solution, with


emphasis on real-time threat hunting and incident response.

2. Windows Defender
Overview:

 Windows Defender is a built-in antivirus and endpoint protection software provided


by Microsoft for Windows operating systems. It provides essential protection for
detecting and removing malware and spyware.

Key Features:

 Real-Time Protection: Actively monitors your system for potential threats and
malware.
 Automatic Updates: Receives continuous updates from Microsoft to stay current
with new threats.
 Firewall and Network Protection: Provides network-level security and monitors
incoming/outgoing traffic.
 Cloud Protection: Uses cloud-powered analysis for faster identification of threats.
 Exploit Protection: Protects against common attack techniques like buffer overflow.

Use Case:

 Best for individuals or small organizations looking for built-in, free, and basic
endpoint protection in Windows environments.

3. CrowdStrike
Overview:
 CrowdStrike is a leading endpoint security solution that offers cloud-delivered
protection for endpoints. It uses AI-driven analysis to provide advanced threat
detection, prevention, and response capabilities.

Key Features:

 Next-Gen Antivirus: Provides real-time endpoint protection using AI and machine


learning for detecting sophisticated attacks.
 Incident Response: Helps in remediating incidents and investigating breaches by
analyzing endpoint activities.
 Threat Intelligence: Integrates threat intelligence to inform and improve detection
capabilities.
 Cloud-Native: Provides cloud-based management, making it easier to scale and
maintain.
 EPP & EDR: Combines Endpoint Protection Platform (EPP) and Endpoint
Detection and Response (EDR) to secure endpoints.

Use Case:

 Suitable for organizations needing advanced, cloud-delivered endpoint protection


with integrated incident response capabilities and real-time threat intelligence.

Network Security Tools

1. Snort
Overview:

 Snort is a popular open-source intrusion detection system (IDS) and intrusion


prevention system (IPS) developed by Cisco. It inspects network traffic in real-time
to detect malicious activity.

Key Features:

 Packet Inspection: Snort analyzes network packets for anomalies and signs of
malicious behavior.
 Real-Time Traffic Analysis: It detects and alerts on malicious traffic and attacks in
real-time.
 Rule-Based Detection: Snort uses a signature-based rule system to identify threats.
 Extensibility: Users can write custom detection rules based on specific network
traffic patterns.
 Scalability: Can scale from small environments to large enterprise networks.

Use Case:

 Ideal for organizations requiring an affordable, open-source IDS/IPS to detect and


prevent network-based attacks.

2. Zeek (formerly Bro)


Overview:
 Zeek is a network monitoring platform that provides high-fidelity network traffic
analysis. It focuses on network security monitoring (NSM) and provides detailed logs
of network activity.

Key Features:

 Comprehensive Traffic Analysis: Zeek inspects network traffic in depth, including


application layer protocols, HTTP, DNS, and more.
 High-Fidelity Logs: Provides detailed logs for analysis, helping teams with incident
response and forensics.
 Extensibility: Can be extended with custom scripts to enhance functionality.
 IDS/IPS Capabilities: While it doesn’t work like traditional IDS/IPS systems, it can
detect suspicious network activity and help correlate attacks.
 Community-Driven: Being open-source, Zeek has a strong community contributing
to its features.

Use Case:

 Best for large enterprises or organizations that need in-depth network traffic
analysis and network security monitoring.

3. Suricata

Overview:

 Suricata is an open-source IDS/IPS engine developed by the Open Information


Security Foundation. It provides high-performance network traffic analysis and
intrusion detection capabilities.

Key Features:

 Real-Time Traffic Monitoring: Suricata inspects network traffic in real-time,


detecting anomalies and malicious activity.
 Multi-Protocol Analysis: Supports HTTP, DNS, FTP, and more for detecting
threats across various protocols.
 IDS/IPS and Network Security Monitoring (NSM): Combines traditional IDS/IPS
functionality with NSM for deeper insights.
 High Performance: Can handle large traffic volumes with low latency.
 Open Source & Extensible: Supports community-driven updates and allows for
custom rule sets.

Use Case:

 Ideal for organizations needing an open-source, high-performance IDS/IPS with


network monitoring capabilities.

4. Wazuh
Overview:
 Wazuh is an open-source security monitoring platform that provides log analysis, file
integrity monitoring, intrusion detection, and real-time alerting.

Key Features:

 Log Data Collection & Analysis: Wazuh collects logs from servers, endpoints, and
network devices and analyzes them for security events.
 File Integrity Monitoring: Monitors critical files for changes to detect unauthorized
access.
 Intrusion Detection: Offers real-time IDS/IPS capabilities.
 Security Monitoring and Incident Response: Supports incident response processes
with automated alerts and detailed logs.
 Integration with SIEMs: Easily integrates with SIEM platforms like Elastic Stack
for enhanced data analysis.

Use Case:

 Perfect for organizations that need open-source network security monitoring,


intrusion detection, and SIEM integration.

Incident Management Tools

1. TheHive
Overview:

 TheHive is an open-source incident response platform designed for security teams


to manage incidents and collaborate effectively on investigations.

Key Features:

 Case Management: Provides tools to create, track, and manage incidents.


 Collaboration: Enables incident response teams to work together in real-time.
 Integration with Threat Intelligence: Can be integrated with MISP and other threat
intelligence sources for contextual threat data.
 Automated Workflows: Supports the automation of incident response workflows.
 Extensible: Can integrate with multiple security tools like SIEMs and endpoint
security solutions.

Use Case:

 Best for teams managing and responding to security incidents with collaborative
and automated workflows.

2. ServiceNow
Overview:

 ServiceNow is a widely used IT service management (ITSM) platform that also


provides incident management features, including for security operations.

Key Features:
 ITIL Framework: Implements the ITIL (Information Technology Infrastructure
Library) framework for managing incidents, problems, and changes.
 Security Incident Management: Provides a set of tools for tracking, managing,
and responding to security incidents.
 Automation: Integrates automation into workflows for faster incident resolution.
 Collaboration: Facilitates collaboration across IT and security teams for incident
response.
 Integration with Other Tools: Works with SIEMs, firewalls, and other security
solutions for streamlined management.

Use Case:

 Ideal for enterprises that already use ServiceNow for IT service management and
want to integrate security incident management into the same platform.

3. Jira
Overview:

 Jira is a popular project management tool used by many teams, including security
teams, for incident tracking and task management.

Key Features:

 Incident and Task Tracking: Helps teams track and manage security incidents and
remediation efforts.
 Agile Workflows: Supports Agile project management methodologies, which can
be beneficial for security teams managing incidents.
 Custom Workflows: Teams can create custom workflows tailored to their specific
incident response process.
 Integration with Other Tools: Jira integrates with other incident management
tools, including TheHive and ServiceNow.

Use Case:

 Best for organizations already using Jira for project management who want to use
the same platform for security incident tracking.

Summary Comparison:

Tool Name Category Key Feature


Behavioral endpoint protection with threat hunting
Carbon Black Endpoint Security
capabilities.
Windows
Endpoint Security Basic, built-in endpoint protection for Windows.
Defender
Cloud-based, AI-driven endpoint protection with real-
CrowdStrike Endpoint Security
time intelligence.
Snort Network Security Signature-based IDS/IPS with packet analysis.
Zeek Network Security Comprehensive network traffic analysis and NSM.
Suricata Network Security High-performance IDS/IPS with multi-protocol
Tool Name Category Key Feature
support.
Open-source security monitoring with IDS/IPS
Wazuh Network Security
capabilities.
Incident Open-source incident management and response
TheHive
Management platform.
Incident ITIL-based platform for security incident
ServiceNow
Management management.
Incident
Jira Task and incident management with Agile workflows.
Management

Roles and Responsibilities of SOC Analyst Level 2 (L2)

SOC Analyst Level 2 (L2) plays a critical role in the security operations center (SOC) by
handling more complex incidents that require in-depth analysis, investigation, and response.
Below are the detailed roles and responsibilities for L2 analysts:

1. In-Depth Analysis

 Purpose: L2 analysts are responsible for analyzing security incidents that have been
escalated from L1 analysts. They perform a deeper dive into incidents to determine
the scope, severity, and impact of the threat.
 Tasks:
o Conduct detailed analysis of potential threats and anomalies.
o Use various security tools, logs, and threat intelligence to evaluate the
incident further.
o Determine whether the threat is genuine or a false alarm.

2. Incident Validation

 Purpose: Validate and prioritize incidents to ensure that the most critical threats are
addressed immediately.
 Tasks:
o Validate if the incident is legitimate, confirming whether it is a true security
event or a false positive.
o Prioritize incidents based on the threat level (severity and impact).
o Apply risk assessments to decide whether an incident requires immediate
action or can be handled later.

3. Incident Handling

 Purpose: L2 analysts are responsible for taking initial containment actions on


escalated incidents to mitigate potential damage.
 Tasks:
o Take initial response actions, such as isolating affected systems, blocking
malicious traffic, or quarantining compromised endpoints.
o Implement remediation measures as needed, including updating firewalls,
disabling user accounts, or deploying patches.
o Engage in correlation of multiple security events to understand the full scope
of the incident.

4. Communication

 Purpose: L2 analysts coordinate with other internal teams to ensure a rapid and
efficient response to security incidents.
 Tasks:
o Coordinate with cross-functional teams, such as network engineers, IT
support, and incident response teams, to ensure the containment and
resolution of the incident.
o Keep stakeholders updated on the status of the incident and any actions taken.
o Document the incident response process and communicate findings to senior
management or clients, as required.

5. Mentoring and Training

 Purpose: L2 analysts often provide guidance and support to lower-level analysts (L1)
to improve team skills and effectiveness.
 Tasks:
o Mentor L1 analysts, helping them improve their analysis skills and incident-
handling procedures.
o Provide feedback to junior analysts to enhance their understanding of different
security threats and best practices.
o Conduct knowledge-sharing sessions to help the team stay updated on
emerging threats and security tools.

6. Threat Intelligence Integration

 Purpose: L2 analysts integrate threat intelligence feeds into their analysis to identify
known patterns of attack or indicators of compromise (IOCs).
 Tasks:
o Use tools like MISP, Threat Intelligence platforms, or external sources to
enrich incident data with context.
o Correlate current incidents with known attack techniques, tactics, and
procedures (TTPs) using frameworks like MITRE ATT&CK.
o Enhance detection capabilities by sharing internal findings and collaborating
with threat intelligence providers.

7. Incident Documentation and Reporting


 Purpose: L2 analysts are responsible for documenting detailed records of incidents
and actions taken for compliance and further analysis.
 Tasks:
o Maintain detailed incident logs that capture every step of the investigation,
from detection to resolution.
o Ensure that incident records are aligned with organizational compliance and
auditing requirements.
o Provide reports summarizing the incident, including root cause analysis,
impact assessment, and lessons learned.

SOC Teams and Roles: SOC Analyst Level 3 (L3)

SOC Level 3 (L3) analysts are the senior security experts within a Security Operations
Center (SOC). They handle the most complex cybersecurity threats and work on advanced
threat detection, response, and strategic improvements in security posture.

🔹 Roles and Responsibilities of a SOC L3 Analyst

1️⃣ Advanced Incident Response

✔️Lead investigations into high-priority security incidents (e.g., APTs, Zero-Day Attacks,
Data Breaches).
✔️Work with forensics teams to identify attack vectors.
✔️Recommend and implement containment strategies to mitigate threats.

✅ Tools Used:

 SIEM (Splunk, QRadar, Sentinel)


 Threat Intelligence (MITRE ATT&CK, MISP, FireEye)
 Forensic Tools (FTK, Autopsy, Wireshark)

2️⃣ Threat Hunting

✔️Proactively search for hidden threats that evade traditional security tools.
✔️Conduct behavioral analysis to detect anomalies in network traffic, logs, and endpoint
activity.
✔️Utilize machine learning models and security analytics to identify advanced threats.

✅ Tools Used:

 EDR/XDR (CrowdStrike, Carbon Black, Windows Defender)


 Threat Hunting Frameworks (Sigma, YARA, Zeek)
 Network Analysis (Suricata, Wireshark, ELK Stack)
3️⃣ Strategy and Development

✔️Improve the SOC playbook and define response strategies for emerging threats.
✔️Work with red teams and penetration testers to strengthen defenses.
✔️Analyze past incidents to refine security policies and enhance compliance (ISO 27001,
NIST, GDPR).

✅ Tools Used:

 Incident Management (TheHive, ServiceNow, JIRA)


 Compliance Tools (NIST Frameworks, CIS Benchmarks)
 Automation (SOAR platforms like Palo Alto Cortex XSOAR)

4️⃣ Tool Customization and Development

✔️Fine-tune SIEM correlation rules for better threat detection.


✔️Develop custom scripts (Python, PowerShell, Bash) to automate tasks like log analysis
and malware detection.
✔️Implement SOAR (Security Orchestration, Automation, and Response) to reduce manual
workload.

✅ Tools Used:

 Python, PowerShell, Bash for scripting


 SOAR (Palo Alto XSOAR, Splunk Phantom)
 Custom YARA/Sigma rules for malware detection

5️⃣ Leadership and Mentoring

✔️Act as a technical supervisor for L1 and L2 analysts.


✔️Provide incident debriefs and training sessions.
✔️Help junior analysts understand complex attack patterns.

✅ Tools Used:

 Knowledge Sharing Platforms (Confluence, Notion)


 Security Training Labs (TryHackMe, Hack The Box, RangeForce)

2-4-25

CONCEPT OF LOGGING, LOG MANAGEMENT AND LOG ANALYSIS:


Concept of Logging:

Logging is the process of recording events, messages, or data generated by applications,


operating systems, or network devices. It helps in tracking system activities, troubleshooting
issues, monitoring security incidents, and analyzing performance.

Logs are collected from various sources, including:

 Network devices (Switches, Routers, Firewalls)


 Web servers (Apache, Nginx, IIS)
 End-user devices (PCs, mobile phones)
 Databases and Applications

Importance of Logging`

Logging is essential for:


✅ Debugging & Troubleshooting – Helps developers identify errors and fix bugs.
✅ Security Auditing – Tracks suspicious activities and unauthorized access attempts.
✅ Performance Monitoring – Analyzes system performance and optimizes processes.
✅ Compliance & Legal Requirements – Organizations use logs to meet regulatory
requirements (e.g., GDPR, HIPAA).

Types of Logs

1. System Logs (Syslogs) – Captures OS-level activities (e.g., kernel messages,


hardware issues).
2. Application Logs – Records events from applications (e.g., user authentication,
errors).
3. Security Logs – Logs security-related events (e.g., failed login attempts, access
control changes).
4. Audit Logs – Tracks user activities for compliance and forensic analysis.

Network (logs are generated) -> they are forwarded using the syslog calls
https://rafeeqrehman.com/2018/12/15/scalable-log-collection-as-foundation-of-soc/

How the syslog works 


https://github.com/MaxBelkov/visualsyslog/blob/master/README.md

Local Logging Vs Centralized Logging

Local Logging:

1. Storage: Logs are stored locally on individual devices or systems where events occur.
2. Management: Each system collects and manages its own logs separately.
3. Access: Logs can only be accessed from the specific device they are stored on.
4. Scalability: Not suitable for large-scale deployments, as managing multiple local logs
becomes difficult.
5. Security Risks: Logs may be lost or tampered with if a system is compromised.
6. Use Case: Common in small applications, debugging during development, and non-
distributed environments.

Centralized Logging:

1. Storage: Logs are aggregated and stored in a central repository, such as a log server
or cloud-based system.
2. Management: Data from multiple sources is collected, analyzed, and managed in
one place.
3. Access: Logs can be accessed remotely by administrators, security teams, and
monitoring tools.
4. Scalability: Supports large-scale systems and distributed environments by handling
logs from multiple devices.
5. Security & Reliability: Logs are secured, backed up, and protected from local
system failures.
6. Use Case: Essential for enterprise systems, cloud infrastructure, security
monitoring, and compliance tracking.

http://manageengine.com/academy/what-is-log-management.html
Log Management & Log Analysis

Log Management Needs

Log management is the continuous process of collecting, storing, and analyzing log data
from various sources to a centralized location. It helps organizations improve performance,
security, and compliance while identifying technical issues.

Key Needs of Log Management:

1. Data Collection
o Logs are gathered from multiple sources such as servers, applications,
network devices, security tools, and databases.
o Helps in tracking user activities, system behavior, and error occurrences.
2. Centralized Storage
o Logs are stored in a centralized system to prevent data loss and allow easy
access.
o Supports structured formats like JSON or unstructured formats like raw text.
3. Real-time Monitoring & Alerts
o Enables real-time tracking of security threats, system failures, and
anomalies.
o Alerts can be triggered for unauthorized access, application crashes, or
suspicious activities.
4. Log Analysis & Troubleshooting
o Helps developers and IT teams quickly identify issues, debug errors, and
analyze performance.
o Speeds up incident response and reduces downtime.
5. Compliance & Auditing
o Ensures compliance with regulations like GDPR, HIPAA, SOC 2, and PCI
DSS.
o Maintains logs for audits and forensic investigations.
6. Security & Threat Detection
o Helps in intrusion detection, anomaly detection, and cyber threat
monitoring.
oProtects sensitive data by detecting unauthorized access attempts.
7. Performance Optimization
o Identifies slow queries, server overloads, and system inefficiencies.
o Helps in capacity planning and resource optimization.

https://www.linkedin.com/pulse/importance-log-management-security-aby-s/

Log Analysis

Log analysis involves processing and interpreting collected logs to:

 Identify patterns & trends for better system insights.


 Detect & investigate security incidents (e.g., brute-force attacks, malware activity).
 Enhance operational efficiency by diagnosing failures and performance bottlenecks.

Popular Log Management & Analysis Tools

✔ ELK Stack (Elasticsearch, Logstash, Kibana) – Open-source log management.


✔ Splunk – Enterprise-level log monitoring and security analytics.
✔ Graylog – Centralized logging with built-in analysis features.
✔ Fluentd – Unified logging for various platforms.
✔ Datadog & New Relic – Cloud-based log monitoring.

https://spectralops.io/blog/top-9-log-analysis-tools/
Web Server Logs – Categories & Importance

Web server logs record events related to the server’s operations, helping administrators
monitor, troubleshoot, and secure the system. They are broadly categorized into:

1. Access Logs

✅ Records all incoming requests to the web server.


✅ Logs details like IP address, timestamp, requested URL, user agent, and response
status code.
✅ Helps analyze traffic patterns, user behavior, and request trends.
✅ Useful for tracking unauthorized access attempts.

🔹 Example (Apache Access Log Entry):

192.168.1.1 - - [02/Apr/2025:14:23:10 +0000] "GET /index.html HTTP/1.1" 200


5123

📌 Breakdown:

 192.168.1.1 → Client IP
 02/Apr/2025:14:23:10 +0000 → Timestamp
 GET /index.html → Request method & resource
 200 → HTTP status code (Success)
 5123 → Response size (bytes)

2. Error Logs ⚠️

✅ Logs all server-side errors that occur while processing requests.


✅ Helps identify broken links, server misconfigurations, database failures, and
application crashes.
✅ Essential for debugging and improving website reliability.

🔹 Example (Apache Error Log Entry):

[Wed Apr 02 14:23:10 2025] [error] [client 192.168.1.1] File does not
exist: /var/www/html/missing-page.html
📌 Breakdown:

 [error] → Log level (Error)


 192.168.1.1 → Client IP
 "File does not exist" → Issue description

3. Security Logs 🔒

✅ Tracks suspicious activities like failed login attempts, brute-force attacks, and access
violations.
✅ Helps in intrusion detection and forensic analysis.
✅ Logs include unauthorized access attempts, firewall rejections, and security policy
violations.

🔹 Example (Failed SSH Login in Security Log):

Apr 02 14:23:10 server sshd[3242]: Failed password for root from


192.168.1.5 port 54321 ssh2

📌 Breakdown:

 sshd[3242] → SSH service log entry


 Failed password for root → Unauthorized login attempt
 192.168.1.5 → Attacker’s IP address

Why Are Web Server Logs Important?

✔ Performance Monitoring – Identifies slow-loading pages & high-traffic requests.


✔ Security Auditing – Detects brute-force attacks, SQL injection, and DDoS attempts.
✔ Troubleshooting – Helps diagnose server errors & misconfigurations.
✔ Compliance & Forensics – Required for security policies (GDPR, PCI DSS, etc.).

HTTP Status Code Series

HTTP status codes are categorized into different series based on their purpose. Let’s break
them down:

1️.200 Series – Success ✅

Indicates that the request was received, understood, and processed successfully.

Status Code Meaning

200 OK Request succeeded, and the response contains the requested data.

201 Created Resource successfully created (e.g., after a POST request).

204 No Content Request was successful, but no response body is sent.


Status Code Meaning

Example:

HTTP/1.1 200 OK
Content-Type: text/html

The requested page loads successfully.

2️.300 Series – Redirection 🔄

Indicates that further action is needed to complete the request (redirects, multiple choices,
etc.).

Status Code Meaning

300 Multiple Choices Multiple options for the resource; the client must choose one.

301 Moved Permanently The resource has been moved permanently to a new URL.

302 Found Temporary redirection; the resource is temporarily at another location.

304 Not Modified The resource hasn’t changed; the client should use a cached version.

Example (301 Redirect):

HTTP/1.1 301 Moved Permanently


Location: https://newsite.com

Tells the client to redirect to newsite.com.

3️.400 Series – Client Errors ❌

Indicates that the request contains bad syntax or cannot be fulfilled by the server.

Status Code Meaning

400 Bad Request The server cannot process the request due to client error.

401 Unauthorized Authentication is required (e.g., login needed).

403 Forbidden The request is valid, but the server refuses to fulfill it.

404 Not Found The requested resource does not exist on the server.

405 Method Not Allowed The request method (e.g., POST, GET) is not allowed for this resource.

Example (404 Error):


HTTP/1.1 404 Not Found

The requested page does not exist.

4.500 Series – Server Errors 🛑

Indicates that the server encountered an issue while processing the request.

Status Code Meaning

500 Internal Server Error A generic error indicating something went wrong on the server.

502 Bad Gateway The server received an invalid response from an upstream server.

503 Service Unavailable The server is temporarily unavailable (e.g., maintenance).

504 Gateway Timeout The server did not receive a response from an upstream server in time.

Example (500 Error):

HTTP/1.1 500 Internal Server Error

The server encountered an unexpected condition.

FIREWALL LOGS:

Firewall logs are essential for monitoring network security and diagnosing potential threats.
Here's a more detailed breakdown of their key aspects:

1. Source and Destination IP Addresses


o Identifies where the network traffic originated from and its intended
destination.
o Helps track suspicious or unauthorized access attempts.
2. Protocol
o Specifies the communication protocol used, such as TCP, UDP, or ICMP.
o Useful for filtering specific types of network traffic.
3. Action Taken
o Indicates whether the firewall allowed or blocked the traffic.
o Important for identifying blocked malicious activities.
4. Timestamp
o Logs the exact date and time when the traffic was detected.
o Helps in forensic analysis and incident response.
5. Rule Matched
o Identifies which firewall rule was triggered.
o Useful for troubleshooting incorrect firewall configurations.
6. Bytes Transferred
o Records the amount of data sent or received.
o Can help detect large data transfers that might indicate a data breach.
7. Alerts and Notifications
o Generated when the firewall detects threats, anomalies, or potential intrusions.
o These alerts help administrators take quick action against security threats.

Importance of Firewall Logs

Firewall logs play a crucial role in network security and performance management by
providing detailed records of network activities. Here’s why they are important:

1. Security Monitoring

 Helps identify suspicious activities such as unauthorized access attempts, DDoS


attacks, or unusual traffic patterns.
 Allows security teams to monitor incoming and outgoing traffic for potential threats.
 Provides insights into potential malware communication with external servers.

2. Incident Response

 Aids in quickly detecting and responding to cyber threats before they escalate.
 Enables real-time alerts when a security breach or anomaly is detected.
 Helps administrators take corrective actions, such as blocking malicious IPs or
tightening security rules.

3. Meeting Regulatory and Compliance Requirements

 Many industries (e.g., finance, healthcare, government) must comply with security
regulations like GDPR, HIPAA, PCI-DSS, and ISO 27001.
 Firewall logs serve as proof of security measures taken to protect sensitive data.
 Ensures organizations follow industry best practices to avoid fines and legal issues.

4. Forensic Analysis

 Firewall logs act as a digital footprint for investigating security breaches.


 Helps analysts trace back the source of an attack, how it entered the network, and
what data was compromised.
 Useful in post-incident analysis to strengthen security defenses against future threats.

5. Performance Monitoring

 Helps track network performance metrics, such as bandwidth usage and latency.
 Identifies bottlenecks and slow network connections affecting business operations.
 Aids in optimizing firewall rules to reduce unnecessary traffic filtering and improve
overall efficiency.

SSH Logs:
SSH (Secure Shell) logs are records of all SSH-related activities on a system. Since SSH is
commonly used for secure remote access, monitoring these logs is critical for security and
system auditing.

What Information Do SSH Logs Contain?

SSH logs provide detailed information about:

1. User Logins & Authentication Attempts


o Logs all successful and failed login attempts.
o Records username, IP address, and timestamp of login attempts.
o Helps identify brute-force attacks or unauthorized access attempts.
2. Commands Executed (Session Activity)
o Captures the commands run by users after logging in via SSH.
o Helps in tracking administrative actions, especially for auditing privileged
accounts.
3. Authentication Methods Used
o Specifies whether login was done via password-based authentication, SSH
keys, or other authentication mechanisms.
o Helps enforce security policies (e.g., disabling password logins in favor of
SSH keys).
4. Session Start and End Times
o Logs when an SSH session starts and ends.
o Useful for tracking session duration and identifying suspicious prolonged
sessions.
5. Source IP Addresses and Hosts
o Captures the IP addresses from which SSH logins originate.
o Helps detect unauthorized access attempts from unknown or blacklisted IPs.

Where Are SSH Logs Stored?

SSH logs are typically stored in system log files, such as:

 Linux/macOS:
o /var/log/auth.log (Debian-based systems like Ubuntu)
o /var/log/secure (Red Hat-based systems like CentOS)
 Windows (OpenSSH Logs):
o Stored in Event Viewer under Applications and Services Logs >
OpenSSH

Why Are SSH Logs Important?

1. Security Monitoring
o Detects unauthorized login attempts and brute-force attacks.
o Identifies compromised accounts or suspicious activities.
2. Incident Response
o Helps in investigating security incidents and responding to intrusions.
o Provides detailed forensic data to understand attack patterns.
3. Compliance & Auditing
o Required for organizations following security standards (ISO 27001,
HIPAA, PCI-DSS, etc.).
o Ensures administrators can track who accessed the system and what they
did.
4. System Performance & Troubleshooting
o Helps diagnose login failures due to authentication issues or network
problems.
o Assists in troubleshooting SSH connection errors.

You might also like