Topic 3: Perform Manual Checking and Verification

Description: This topic focuses on equipping learners with the analytical skills and technical tools to
manually inspect system logs and validate the presence of potential cyber threats. This capability becomes
especially valuable when automated detection systems are bypassed or generate inconclusive results.
Manual verification also sharpens the learner’s investigative thinking, fosters attention to detail, and
supports post-incident review and forensics.

Learners will explore the structure of log files in both Windows and Linux environments, understand the
meanings behind different event types, and be introduced to patterns that indicate suspicious activity.
Before moving to a hands-on demonstration, learners will engage with real examples, review log entries,
and answer reflection questions that help them think like an analyst.

Key Concepts

1. What is Manual Log Checking? Manual log checking is the process of inspecting raw system log
data to identify potential security incidents. It allows deeper investigation into anomalies that
automated tools may miss.

2. When and Why Use Manual Log Verification?

3. During forensic investigations or system audits

4. When false positives need to be validated

5. In low-resource environments without SIEM tools

6. Common Sources of Logs:

7. Windows: Event Viewer (Security, Application, System logs)

8. Linux: /var/log/auth.log , journalctl , /var/log/syslog , dmesg

9. Common Events to Watch For:

10. Multiple failed login attempts (brute force indicators)

11. Logins from unusual locations or during non-working hours
12. Sudden elevation of user privileges (privilege escalation)

13. Execution of unknown or unauthorized processes

14. Reading Log Entries – What to Look For:

1
 Field Meaning

Timestamp Indicates the exact time the event occurred

Event ID A unique identifier for the type of event

Username User account involved in the event

Source IP Originating IP address for the action

Event Details Summary of what action was taken or attempted

Learning Activity (Before Demonstration)

Activity Title: Guided Log Reading Practice

Type: Reflection Worksheet / Guided Questions
Instructions: 1. Review 3 example log entries (provided as text or screenshot). 2. For each log, answer the
following: - What is happening in this log? - Is it a normal or suspicious event? - What follow-up action might
you take?

Sample Log Entry:

Jun 5 10:15:44 server sshd[2235]: Failed password for invalid user guest from
192.168.1.111 port 53022 ssh2

Sample Questions: - What type of event is this? - How many failed logins from this IP would be considered
a threat? - Would you block this IP or investigate further?

Expected Outcome: - Learners begin recognizing patterns of compromise - Improved understanding of log
structure before using real tools

Hands-On Demonstration

Scenario: You are working in a Security Operations Center (SOC) and a threat analyst flags your team to a
potential unauthorized access incident. You are tasked to verify if there was a successful login attempt
following multiple failed attempts from the same IP. You will use either Windows or Linux tools to find the
evidence manually.

Windows – Using Event Viewer

1. Press Win + R , type eventvwr.msc , press Enter.

2. Go to Windows Logs > Security.
3. Use filters or scroll to find:
4. Event ID 4625: Failed login
5. Event ID 4624: Successful login

2
 6. Look for patterns (e.g., 5+ failed logins from the same IP followed by a success).
7. Document Event ID, time, IP address, username.

Linux – Using Terminal Commands

1. Open terminal.
2. Run: sudo cat /var/log/auth.log | grep 'Failed password'
3. Optionally: sudo journalctl -xe | grep ssh
4. Search for IPs or usernames repeating frequently

Suggested Activity

Activity Title: Log Inspection and Threat Verification Type: Simulation Task / Assignment Instructions: 1.
Download sample logs (from either Linux or Windows) 2. Review at least 10 entries and identify: - Suspicious
login patterns - Potential brute force attempts - Privilege escalation or remote access flags 3. Fill out a table
summary:

Event ID/Log
Timestamp IP Address Username Notes
Type

2025-06-05 10:15
4625 192.168.1.111 guest 10 failed logins in 2 min
AM

2025-06-05 10:17 Success after repeated

4624 192.168.1.111 admin
AM fails

1. Write a 2–3 paragraph analysis describing what you found and what response steps are
recommended.

Expected Output: - Clear analysis of at least 3 indicators of compromise - Accurate completion of summary
table - Justified recommendation (e.g., block IP, reset password)

Resource (Optional): - 📺 Video: "Manual Log Analysis – Windows & Linux" (watch after reading log
examples) - 🖼 Screenshot samples of suspicious logs with red flags marked

Let me know when you're ready to move on to Topic 4: Conduct Case Follow-Up.