10 Log Sources That Separate Junior Analysts from Elite Threat Hunters – Master These or Stay Behind + Video

Listen to this Post

Featured Image

Introduction:

Thousands of security events are generated every single day across enterprise environments. The difference between a junior analyst who drowns in alerts and an experienced threat hunter who uncovers sophisticated attacks isn’t the number of alerts they review – it’s knowing which log source tells which part of the attack story. A real investigation requires correlating logs across your entire environment, and mastering the right log sources is what separates those who monitor from those who hunt.

Learning Objectives:

  • Master the 10 critical log sources every SOC analyst must know for effective threat detection and incident investigation
  • Learn practical commands and queries to extract actionable intelligence from each log source
  • Develop correlation skills to connect events across Windows, Linux, network, and cloud environments
  1. Windows Security Event Logs – The Foundation of Endpoint Investigation

Windows Security Event Logs are the single most important log source for any SOC analyst. They capture authentication attempts, privilege assignments, process creations, and virtually every security-relevant action on a Windows system.

Critical Event IDs to Memorize:

| Event ID | Description | What It Reveals |

|-|-|–|

| 4624 | Successful logon | Account compromise, lateral movement |
| 4625 | Failed logon | Brute force, reconnaissance |
| 4672 | Admin privileges assigned | Privilege escalation |
| 4688 | Process creation | Execution timeline, malicious binaries |
| 7045 | Service installed | Persistence mechanism |
| 1102 | Event log cleared | Anti-forensics, evidence destruction |

Step-by-Step: Investigating a Suspicious Logon

  1. Identify successful logons – Search for Event ID 4624 and examine critical fields: `TargetUserName` (who logged in), `LogonType` (how they logged in), `IpAddress` (source location)
  2. Check for failures – Look for Event ID 4625 from the same source IP to identify brute-force patterns
  3. Correlate with process creation – Use Event ID 4688 to see what the user executed after logging in
  4. Verify privilege escalation – Check Event ID 4672 to see if admin rights were assigned

PowerShell Query for Windows Event Logs:

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625,4688} -MaxEvents 100 | 
Select-Object TimeCreated, Id, @{N='User';E={$<em>.Properties[bash].Value}}, 
@{N='SourceIP';E={$</em>.Properties[bash].Value}}

2. Sysmon – The Endpoint Visibility Multiplier

Windows’ default logging provides only basic information, which often isn’t enough for deep analysis. Sysmon, part of Microsoft’s Sysinternals suite, fills this gap by tracking critical system events like process creation, network connections, and file modifications with granular detail.

Essential Sysmon Event IDs:

  • Event ID 1 (Process Creation): Logs each new process with full command line, parent process, and file hash
  • Event ID 3 (Network Connections): Tracks all network connections with source/destination IPs and ports
  • Event ID 22 (DNS Query): Logs DNS requests, revealing malicious domains contacted by the endpoint

Step-by-Step: Installing and Configuring Sysmon

1. Download Sysmon from Microsoft Sysinternals

2. Install with a configuration file:

sysmon.exe -accepteula -i sysmon_config.xml

Or install with default configuration:

sysmon -i

3. Reconfigure an existing installation:

sysmon -c sysmon_config.xml

4. Verify events in Event Viewer under `Applications and Services Logs → Microsoft → Windows → Sysmon → Operational`

Sample Sysmon Configuration (excerpt):

<Sysmon schemaversion="4.81">
<EventFiltering>
<ProcessCreate onmatch="include">
<CommandLine condition="contains">powershell</CommandLine>
</ProcessCreate>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">443</DestinationPort>
</NetworkConnect>
</EventFiltering>
</Sysmon>

3. DNS Logs – The C2 Detection Goldmine

Most people treat DNS as background noise. Attackers don’t. DNS logs are invaluable for detecting command-and-control (C2) communications, data exfiltration via DNS tunneling, and Domain Generation Algorithm (DGA) activity.

What to Look For:

  • Unusual query spikes from a single host
  • Queries to suspicious or newly registered domains
  • Long subdomains indicative of data exfiltration
  • Repeated NXDOMAIN responses (potential DGA)

Step-by-Step: Analyzing DNS Logs in Splunk

1. Search DNS events:

index= sourcetype=dns_sample

2. Extract relevant fields:

index= sourcetype=dns_sample | regex _raw="(?i)\b(dns|domain|query|response)\b"

3. Identify query spikes (anomalies):

index= sourcetype=dns_sample | stats count by fqdn

4. Find top queried domains:

index= sourcetype=dns_sample | top fqdn, src_ip

5. Investigate suspicious domains:

index= sourcetype=dns_sample fqdn="maliciousdomain.com"

Linux Command for DNS Log Analysis:

 Check for suspicious DNS queries in system logs
grep -E "query|DNS" /var/log/syslog | grep -v "localhost"
 Monitor real-time DNS traffic
tcpdump -i any port 53 -1 -v

4. Firewall Logs – The Network Perimeter Sentinel

Firewall logs remain one of the most consistently valuable data sources in a SOC environment. Every packet that crosses a boundary leaves a record – and that record tells a story if you know how to read it.

Anatomy of a Firewall Log Entry:

A typical Palo Alto NGFW log entry contains: timestamp, action (allow/deny), source IP, destination IP, source port, destination port, protocol, bytes transferred, and duration.

Step-by-Step: Firewall Log Analysis

  1. Establish a baseline – Understand what normal traffic patterns look like for your organization
  2. Look for anomalies – Traffic at unusual hours, asymmetric data transfer (large downloads from unusual sources), sustained sessions
  3. Check denied connections – Repeated denials may indicate scanning or reconnaissance
  4. Correlate with threat intelligence – Check destination IPs against known-bad lists

Linux Commands for Firewall Log Analysis:

 Check firewalld logs
grep "firewalld" /var/log/messages
 View iptables logs
dmesg | grep "IPTABLES"
 Analyze network connections
ss -tulnp
netstat -tulnp

Splunk Query for Firewall Analysis:

sourcetype=firewall action=deny | stats count by src_ip, dest_ip, dest_port | 
sort -count | head 20
  1. Linux Authentication Logs (/var/log/auth.log) – Detecting SSH Attacks

Linux systems generate authentication logs that are critical for detecting SSH brute-force attacks, privilege escalation, and unauthorized access.

Step-by-Step: Investigating SSH Brute-Force Attacks

1. View authentication logs:

cat /var/log/auth.log

2. Identify failed SSH login attempts:

grep "Failed password" /var/log/auth.log

3. Check for successful logins (potential compromise):

grep "Accepted" /var/log/auth.log

4. Monitor logs in real-time:

tail -f /var/log/auth.log

5. Identify brute-force patterns by IP:

grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -1r

Key Investigation Workflow (from real SOC incident analysis):

1. Collect authentication logs from `/var/log/auth.log`

2. Identify abnormal authentication activity

  1. Observe repeated login failures from the same IP

4. Confirm successful SSH login attempts

5. Determine credential compromise

  1. Map behavior to MITRE ATT&CK (T1110 – Brute Force, T1078 – Valid Accounts)
  2. Execute incident response: reset credentials, terminate sessions, enforce key-based auth

  3. Cloud Audit Logs – AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs

Cloud security skills are no longer optional for SOC analysts. Understanding AWS CloudTrail, Azure Activity Logs, and GCP Audit Logs is essential for detection and investigation.

Step-by-Step: Investigating Suspicious Cloud Activity

AWS CloudTrail CLI Investigation:

 Look up events by access key
aws cloudtrail lookup-events --region us-east-1 \
--lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIAXXXXXXXXXXXXXXXX
 Look up events by username
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=suspicious-user

Azure Activity Log KQL Query (Microsoft Sentinel):

AzureActivity
| where TimeGenerated > ago(24h)
| where Caller == "[email protected]"
| project TimeGenerated, OperationName, ActivityStatus, CallerIpAddress, ResourceId

GCP Cloud Audit Logs (Logs Explorer):

resource.type="gce_instance"
protoPayload.methodName="compute.instances.start"
severity="WARNING"

What to Monitor in Cloud Logs:

  • IAM role/group membership changes (privilege escalation)
  • Resource creation/deletion in unusual regions
  • API calls from unexpected IP addresses
  • Key vault/secret access patterns

7. Proxy Logs – Uncovering C2 Beaconing

Proxy logs contain information about HTTP and HTTPS requests – this is gold because attackers use these protocols for command-and-control communication.

Step-by-Step: Investigating C2 Communications with Proxy Logs

  1. Collect proxy logs – At minimum 24 hours (ideally 7 days) of proxy/firewall logs with timestamps, source/destination, and bytes transferred
  2. Look for beaconing patterns – Regular, periodic outbound requests at consistent intervals
  3. Analyze destination domains – Check domain reputation, age, and registration patterns
  4. Examine data transfer asymmetry – Large data downloads from external sources indicate exfiltration

Linux Commands for Proxy Log Analysis:

 Find suspicious outbound connections
grep -E "POST|GET" /var/log/squid/access.log | awk '{print $1, $7}' | sort | uniq -c | sort -1r
 Check for beaconing (regular intervals)
awk '{print $1, $4}' /var/log/squid/access.log | uniq -c | sort -1r | head -20

Splunk Proxy Log Query:

sourcetype=proxy | stats count by src_ip, dest_domain, uri | 
where count > 100 | sort -count
  1. Endpoint Detection and Response (EDR) Logs – The Telemetry Powerhouse

EDR solutions provide deep visibility into endpoint activities including process execution, file system changes, registry modifications, and network connections. Unlike traditional antivirus, EDR logs capture behavioral telemetry that reveals attacker TTPs.

Key EDR Telemetry to Monitor:

  • Process creation with command-line arguments
  • File creation/modification in sensitive directories
  • Registry persistence mechanisms
  • Network connections from suspicious processes
  • PowerShell and script execution

Step-by-Step: Integrating EDR with SIEM

  1. Configure EDR to forward all telemetry to your SIEM (Splunk, Sentinel, or Elastic)
  2. Normalize EDR fields to match your SIEM’s Common Information Model (CIM)
  3. Create correlation rules that combine EDR alerts with network and cloud logs
  4. Build threat hunting dashboards for process creation, file activity, and network connections

  5. Web Server Logs – Detecting Web Application Attacks

Web server logs (IIS, Apache, Nginx) capture every HTTP request made to your web applications – revealing attack attempts, scanning activities, and potential data exfiltration.

What to Monitor:

  • Unusual HTTP methods (TRACE, OPTIONS, CONNECT)
  • SQL injection patterns in URLs (' OR '1'='1, UNION SELECT)
  • Path traversal attempts (../, ..\)
  • Excessive 404 errors (directory scanning)
  • Large POST requests (potential data exfiltration)

Linux Commands for Web Log Analysis:

 Find suspicious GET requests
grep "GET" /var/log/apache2/access.log
 Find POST requests (potential data uploads)
grep "POST" /var/log/apache2/access.log
 Identify SQL injection attempts
grep -E "(UNION|SELECT|DROP|INSERT)" /var/log/apache2/access.log

Splunk Web Log Query:

sourcetype=access_combined status=404 | stats count by uri, clientip | sort -count

10. SIEM Correlation Logs – Connecting the Dots

The true power of a SOC lies not in individual log sources but in correlating events across your entire environment. SIEM platforms like Splunk Enterprise Security and Microsoft Sentinel enable this correlation through advanced search capabilities and correlation rules.

Step-by-Step: Building Correlation Rules

  1. Identify the attack chain – Map the adversary’s TTPs to specific log sources
  2. Write correlation searches that combine events from multiple sources:
    index=windows EventCode=4624 (successful logon) 
    | join type=left [search index=network firewall action=deny]
    

3. Assign risk scores to detected behaviors:

| eval risk_score=20 | eval mitre_technique="T1059 - PowerShell Execution"

4. Create alerts when risk scores exceed thresholds

Example Splunk Correlation Search for Lateral Movement:

index=windows (EventCode=4624 LogonType=3) OR (EventCode=5140) OR (EventCode=7045)
| stats count by src_ip, dest_ip, user
| where count > 5

Microsoft Sentinel KQL for Lateral Movement:

SecurityEvent
| where EventID in (4624, 5140, 7045)
| where LogonType == 3
| summarize count() by Account, SourceIP, Computer
| where count_ > 5

What Undercode Say:

  • Log source mastery is the foundation of threat hunting – Knowing which log source tells which part of the attack story is what separates junior analysts from experienced hunters. Raw alert volume is noise; correlated log analysis is signal.

  • Correlation is the force multiplier – No single log source tells the complete story. A successful investigation requires correlating Windows Security logs with Sysmon telemetry, DNS queries, firewall logs, and cloud audit trails. The SOC analysts who excel are those who can connect dots across the entire data estate.

  • Cloud logs are no longer optional – As organizations migrate to AWS, Azure, and GCP, SOC analysts must master cloud audit logs. Traditional on-premises skills alone are insufficient. Understanding CloudTrail, Azure Activity Logs, and GCP Audit Logs is now a baseline requirement.

  • Proactive hunting beats reactive alerting – The best SOC analysts don’t wait for alerts. They proactively hunt for suspicious patterns across log sources – analyzing DNS query spikes, firewall anomalies, and authentication failures before they become breaches.

  • Mastering log analysis commands is non-1egotiable – Reading logs through a SIEM is standard, but every analyst should be comfortable pulling and parsing raw logs from the command line. Certifications teach theory; hands-on command-line proficiency wins investigations.

Prediction:

  • +1 The democratization of SIEM platforms and cloud-1ative logging will make advanced log correlation accessible to more SOC teams, enabling faster threat detection and reduced mean time to response (MTTR).

  • +1 AI-powered log analysis will augment but not replace human analysts – the ability to understand log context and correlate seemingly unrelated events will remain a uniquely human skill that commands premium compensation.

  • -1 The increasing volume of security telemetry (petabytes per enterprise) will overwhelm understaffed SOCs that haven’t mastered efficient log filtering and correlation strategies, leading to alert fatigue and missed detections.

  • -1 Attackers are increasingly targeting cloud control planes and identity systems – SOC analysts who haven’t mastered cloud audit logs will be blind to the most impactful attacks of the next generation.

  • +1 Organizations that invest in comprehensive log collection, normalization, and correlation will develop a significant defensive advantage over those that treat logs as compliance checkbox items rather than strategic security assets.

▶️ Related Video (74% Match):

https://www.youtube.com/watch?v=0llvo0kCNZo

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Vnagrale 10 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky