Listen to this Post

Introduction:
A Security Information and Event Management (SIEM) system is often considered the brain of a Security Operations Center (SOC), but its intelligence is entirely dependent on the quality of the data it ingests. In the current threat landscape, where adversaries are increasingly adept at evading single-point detection, security teams must move beyond simply aggregating logs to mastering the art of log correlation. This article explores the ten critical log sources that form the backbone of modern threat detection, providing a roadmap for analysts to turn isolated events into actionable, high-fidelity intelligence.
Learning Objectives:
- Understand the specific security value and use cases of the top ten log sources essential for SOC operations.
- Identify the key events within each log source that indicate malicious activity, ranging from initial access to data exfiltration.
- Learn how to correlate disparate log sources to build a cohesive narrative around complex, multi-stage cyberattacks.
1. Windows Security Logs
The Windows Security Log is the authoritative record of authentication and authorization on a domain. When properly configured, it tells the story of who accessed what, when, and from where.
Step‑by‑step guide to configuration and monitoring:
- Enable Advanced Audit Policies: On Domain Controllers, use `auditpol` to ensure logging is not reliant on legacy settings. Run `auditpol /set /subcategory:”Logon” /success:enable /failure:enable` to enforce detailed logging.
2. Critical Event IDs to Monitor:
- 4624: Successful logon—indicates valid authentication.
- 4625: Failed logon—can indicate brute force attacks.
- 4672: Special privileges assigned—often associated with administrative logins.
- 4740: Account locked out—may signal password spraying or brute-force attempts.
- Analyzing Logons: Enrich Event 4624 by looking at the
Logon Type. A Type 10 (Remote Interactive) indicates an RDP session, which should be strictly monitored alongside the source IP. - Windows CLI for Filtering: Use `wevtutil` to query logs directly. For instance, `wevtutil qe Security /c:10 /rd:true /f:text` will pull the 10 most recent security events.
- PowerShell Scripting: Utilize `Get-WinEvent` to create advanced filters, such as
Get-WinEvent -LogName Security -MaxEvents 50 | Where-Object {$_.Id -eq 4624 -and $_.Message -match "Logon Type: 10"}.
2. Sysmon Logs
System Monitor (Sysmon) is a powerful Windows kernel driver that provides deep visibility into system activity that the default Security logs miss, such as process creation and network connections.
Step‑by‑step guide to deployment:
- Installation: Download Sysmon from Microsoft Sysinternals and install with a configuration file:
Sysmon.exe -accepteula -i C:\path\to\config.xml.
2. Key Event IDs and Their Significance:
- Event ID 1: Process creation—captures the parent process, command line, and hash of the executable.
- Event ID 3: Network connections—identifies the process initiating outbound connections.
- Event ID 22: DNS query—shows the process responsible for DNS queries.
- Creating a Baseline: Filter logs for `cmd.exe` or `powershell.exe` spawning with suspicious parameters (e.g.,
-EncodedCommand). - Linux Equivalent: Auditd can serve a similar purpose on Linux hosts. Commands like `ausearch -f /etc/passwd` help track file access.
- Incident Response: When a suspicious executable is detected, pivot to Sysmon Event ID 1 to determine how it was launched, then to Event ID 3 to identify its C2 infrastructure.
3. DNS Logs
DNS is frequently weaponized for command-and-control (C2) and data exfiltration. Despite its ubiquitous nature, DNS is often a blind spot in security monitoring.
Step‑by‑step guide to setting up and using DNS logs:
1. Activate Debug Logging on Windows DNS: Right-click the DNS Server in Server Manager > Properties > Debug Logging. Check “Log packets for debugging.”
2. Filtering for DGA: Using a SIEM, create a rule to alert on high volumes of NXDOMAIN responses (Event 202), which often indicates Domain Generation Algorithm (DGA) activity.
3. Analyzing Long Subdomains: A query like `[bash].example.com` is a red flag. Use the `Length` function in your SIEM to alert on queries over 50 characters.
4. Linux DNS Monitoring: On a Linux DNS server (BIND), enable query logging by adding `channel default_debug { file “data/named.run”; severity dynamic; };` to your named.conf.
5. Correlation: Cross-reference DNS query logs with firewall logs to see if the resolved IP was actually contacted, confirming active C2 communication.
4. Proxy Logs
Proxy logs are the window into how users interact with the internet, providing insight into web activity, policy violations, and potential data theft.
Step‑by‑step guide to utilization:
- Data Points to Extract: Ensure the proxy logs capture the URL, user agent, source IP, destination IP, action (allowed/blocked), and bytes sent/received.
- User Agent Analysis: Anomalous user agents (e.g., `python-requests` or outdated browsers) often indicate automation or malicious activity.
- Data Exfiltration: Monitor `bytes sent` in conjunction with `POST` requests to upload destinations. A spike in outbound traffic to a non-business domain requires immediate investigation.
- Bypass Detection: Alert on proxy logs showing `CONNECT` requests to non-standard ports (e.g., port 443 on an IP address rather than a domain).
- Filtering using grep (Linux): To quickly identify large uploads, run `grep “POST” proxy.log | awk ‘{print $10, $7}’ | sort -1` (where `$10` is bytes and `$7` is the URL).
5. Firewall Logs
Firewall logs provide the foundation for understanding network traffic patterns, intrusion attempts, and lateral movement.
Step‑by‑step guide to configuration:
- Enable Logging: In Windows Defender Firewall, enable logging for dropped packets and successful connections via Group Policy:
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security. - Key Fields: Focus on
Source IP,Destination IP,Source Port,Destination Port, andAction (Allow/Deny). - Network Mapping: Use logs to build a “normal” traffic baseline. Alert on connections from internal IPs to external IPs on ports 22 (SSH), 3389 (RDP), or 445 (SMB) to detect unusual outbound access.
- Analyzing Linux iptables: If using
iptables, enable logging with `-j LOG` for specific rules. View logs withdmesg | grep "IN=eth0". - Lateral Movement: A sudden spike in internal 445/SMB connections between workstations could indicate ransomware propagation (like WannaCry) or PsExec lateral movement.
6. EDR/XDR Logs
Endpoint Detection and Response (EDR) logs are the lifeblood of modern threat hunting, offering rich telemetry beyond simple process creation and file writes.
Step‑by‑step guide to advanced use:
- Querying for Ransomware: Create rules that look for high-frequency file modifications combined with extensions like `.encrypted` or `README.txt` creation.
- Process Injection: Flag instances where a process like `notepad.exe` spawns `cmd.exe` or
powershell.exe, indicating code injection attempts (e.g., in Python viactypes). - Living off the Land (LOLBins): Alert on Windows binaries used in abnormal ways. For example, `rundll32.exe` executing a `.dll` from `%temp%` is a major red flag.
- Linux EDR: On Linux, monitor for `bash` history modifications (e.g.,
echo " " > ~/.bash_history) to detect attempts to wipe tracks. - Command to Retrieve Process List (Linux): `ps auxf | grep -v “\[“` helps visualize parent-child process relationships, a key component of EDR analysis for identifying malicious chains.
7. Email Security Logs
Email remains the primary vector for initial compromise, making email security logs critical for Business Email Compromise (BEC) and phishing investigations.
Step‑by‑step guide to analysis:
- Header Analysis: Extract and analyze email headers. Use `Message-ID` and `Received` fields to trace the path of the email.
- BEC Detection: Look for emails with `Reply-To` addresses that differ from the display name (e.g., “CEO” is displayed, but the reply goes to
[email protected]). - Attachment Inspection: If an email contains a malicious attachment, pivot to endpoint logs (EDR) to see if that attachment was executed.
- Microsoft 365: Use the `Search-UnifiedAuditLog` in PowerShell. For example, `Search-UnifiedAuditLog -Operations “Send” -StartDate (Get-Date).AddDays(-7)` to pull recent email activity.
- Correlating with Proxy: If a user clicks a malicious link in an email, the proxy log will show the domain access approximately 1-2 minutes after the email was delivered.
8. Active Directory Logs
Active Directory (AD) is the primary target for attackers seeking to elevate privileges and move laterally. Logs here are essential for identity and access management.
Step‑by‑step guide to critical events:
- Domain Admin Activity: Alert on Event ID 4728 (member added to a security-enabled global group) or 4732 (member added to a domain local group) to monitor escalation.
- Password Resets: Track Event ID 4723 and 4724 for password changes and resets, particularly if performed by users who aren’t helpdesk staff.
- Kerberoasting: Monitor for Event ID 4769 (Kerberos service ticket requested) where the ticket is requested for a service account. If followed by a spike in failed logins (4625), it indicates a brute-force attack on that service account.
- Golden Ticket: A suspicious Event ID 4624 (logon) associated with a username of `KRBTGT` is a critical indicator of a Golden Ticket attack.
- PowerShell Query: Use `Get-ADUser -Filter -Properties ` to audit accounts with `DoesNotRequirePreAuth` set to
$true, which are vulnerable to AS-REP Roasting attacks.
9. VPN Logs
VPN logs provide a crucial checkpoint for remote access, helping to separate legitimate user activity from compromised credentials.
Step‑by‑step guide to analysis:
- Authentication Failures: A sudden spike in 401/403 errors followed by a successful 200 OK indicates password spraying.
- Impossible Travel: Alert on a successful VPN login from `Location A` and another login for the same user from `Location B` less than the flight time apart (e.g., less than 12 hours between the US and UK).
- Device Fingerprinting: Track `User-Agent` strings. A user who normally logs in from a Windows PC suddenly logging in from a Linux machine should trigger a review.
- Duration: Logins lasting 30 minutes followed by unusual internal traffic (like database queries) may indicate an attacker who logged in and dumped credentials.
- Linux Query: Use `cut -d’ ‘ -f1,4,5,12 /var/log/secure` to isolate authentication results for analysis.
10. Cloud Logs
In hybrid and multi-cloud environments, logs from services like AWS, Azure, and GCP are vital for monitoring configuration drift and API-based attacks.
Step‑by‑step guide to cloud security:
- CloudTrail (AWS): Create a trail to deliver logs to S3. Search for `ConsoleLogin` with `”MFAUsed”:”No”` to see users bypassing MFA.
- Azure Audit Logs: Use the Azure CLI to query for identity risk events:
az rest --method post --url "https://graph.microsoft.com/v1.0/identityProtection/riskyUsers". - IAM Changes: Alert on any API calls like
CreateUser,AttachUserPolicy, orChangePassword. - API Security: Scrutinize logs for `UnauthorizedOperation` and `AccessDenied` events, which may indicate an attacker enumerating privileges.
- GCloud Commands: In GCP, filter with `gcloud logging read “protoPayload.methodName=SetIAMPolicy”` to track dangerous permission changes. Always ensure cloud storage buckets are not publicly exposed.
What Undercode Say:
- Key Takeaway 1: The “Breadcrumb Principle” is paramount. While modern attacks are sophisticated, they cannot operate in a vacuum. The ability to correlate a suspicious DNS query, a firewall allow rule, and an EDR process creation event is the difference between detecting a compromise in hours versus months. The most dangerous threat is not the attack itself, but the alert fatigue that prevents analysts from connecting these dots.
- Key Takeaway 2: Focusing on the “Crown Jewels” is more effective than log volume. While collecting all ten sources is ideal, a mature SOC should prioritize correlating VPN logs with AD logs to protect privileged accounts. In an era of hybrid work, the identity perimeter is the only perimeter. By mapping the attack chain to the MITRE ATT&CK framework, SOCs can identify coverage gaps and focus on high-impact forensic readiness.
Analysis: The post highlights a critical shift in SOC strategy: moving from “garbage in, garbage out” to intelligence-driven data collection. The introduction of logs like Sysmon and Cloud trails emphasizes the evolution of the threat landscape into the cloud and endpoint level. The focus on correlation directly addresses the industry’s struggle with alert fatigue and the “needle in a haystack” problem. It promotes a proactive hunting mindset, emphasizing that a SIEM is a tool, not a solution, and that real security lies in the analyst’s ability to weave a narrative from fragmented logs. The discussion encourages a shift from reactive patching to proactive threat modeling, where understanding user behavior (UEBA) and asset criticality informs log management priorities.
Prediction:
- +1 We will see a significant rise in AI-driven log correlation tools that use machine learning to automatically prioritize alerts and suggest correlation chains, reducing Mean Time to Detect (MTTD) to minutes.
- +1 Organizations will invest heavily in “Data Lakes” and specialized Data Lake platforms designed for security, enabling the storage of high-volume logs like Sysmon for extended periods (up to years) for forensic analysis and threat hunting.
- -1 The complexity of managing these ten log sources will require more highly skilled personnel, likely creating a severe talent shortage in the SOC, resulting in many organizations failing to leverage their SIEMs effectively.
- -1 The increasing reliance on cloud-1ative logs will lead to more misconfiguration errors, exposing vast amounts of private data to the public internet due to improper storage bucket policies and API misconfigurations.
- +1 The evolution of XDR platforms will converge these log sources into a unified data model, simplifying correlation for junior analysts and enabling more automated response playbooks (e.g., blocking a suspicious IP across all network and endpoint devices within seconds of detection).
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yildiz Yasemin – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


