Listen to this Post
Introduction:
In the high-stakes world of cybersecurity, the ability to transform raw telemetry into actionable intelligence separates a junior analyst from a true defender. A mature Security Operations Center (SOC) analyst doesn’t simply review alerts; they understand context, correlate events across multiple data sources, identify anomalies, and uncover the story that logs are telling. This article provides a practical, hands-on roadmap to mastering the core competencies required to analyze, investigate, and respond to security events effectively, moving beyond theory to develop real-world log analysis skills.
Learning Objectives:
- Master the end-to-end log analysis workflow, from collection to correlation and reporting.
- Develop proficiency in querying and investigating security events using SIEM platforms like Splunk (SPL), Elastic (KQL/ES|QL), and Wazuh.
- Learn to detect specific threats, including brute-force attacks, suspicious PowerShell activity, DNS tunneling, and lateral movement.
You Should Know:
1. The Log Analysis Workflow & SIEM Fundamentals
The foundation of any SOC analyst’s skill set is a structured approach to log analysis. This workflow involves several key stages: Collection (ingesting logs from various sources like Windows Event Logs, Linux auth logs, firewalls, and DNS servers), Normalization (parsing and mapping data to a common schema), Correlation (linking events across different sources to identify patterns), Investigation (deep-diving into specific alerts), and Reporting (documenting findings and recommended actions).
SIEM platforms are the central hub for this process. Three of the most prevalent in the industry are Splunk, the Elastic Stack (ELK), and Wazuh.
- Splunk utilizes the Search Processing Language (SPL) for powerful data querying and analysis. A core concept is Risk-Based Alerting (RBA), which provides more context than traditional alerting by correlating multiple detections into a single risk score.
- Elastic Security offers the Elasticsearch Query Language (ES|QL) for advanced threat hunting and KQL for basic searches. ES|QL is ideal for complex security investigations, enabling powerful transformations and statistical analysis.
- Wazuh is an open-source SIEM that uses a ruleset to detect security events. It allows for extensive customization through custom rules and decoders.
- Windows & Linux Log Investigation: The Analyst’s First Skill
If you were mentoring a new SOC analyst, the first skill you should recommend they master is Windows Event Logs (Option 1). It is the most common data source and provides the foundational context for almost every investigation.
Key Windows Event IDs to Know:
- 4624: Successful logon
- 4625: Failed logon
- 4648: A logon was attempted using explicit credentials
- 4663: An attempt was made to access an object (file/folder)
- 4768: Kerberos authentication ticket was requested
- 4104: PowerShell script block logging (crucial for detecting malicious scripts)
PowerShell Commands for Log Analysis:
View all Security events from the last 24 hours
Get-WinEvent -LogName Security -MaxEvents 100
Filter for specific Event IDs (e.g., failed logons)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents 50
Check for brute-force patterns (group failed logons by source IP)
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625; StartTime=(Get-Date).AddHours(-24)}
$events | ForEach-Object {
if ($<em>.Message -match "Source Network Address:\s+(\S+)") {
[bash]@{ Time = $</em>.TimeCreated; SourceIP = $matches[bash] }
}
} | Group-Object SourceIP | Where-Object { $_.Count -ge 10 }
This script analyzes failed logon events and reports any source IP with 10 or more failed attempts as a potential brute-force attack.
Linux Commands for Log Analysis:
On Linux systems, the primary sources of security logs are `/var/log/auth.log` (or /var/log/secure) and the systemd journal.
View authentication logs in real-time sudo tail -f /var/log/auth.log Query the systemd journal for SSH events sudo journalctl -u ssh Find failed SSH login attempts sudo journalctl -u ssh | grep "Failed password" Find successful SSH logins sudo journalctl -u ssh | grep "Accepted password"
- Threat Detection Queries: SPL, KQL, and Wazuh Rules
Crafting effective detection queries is a critical skill for any SOC analyst.
Splunk (SPL) – Brute Force Detection:
This SPL query detects potential brute-force attacks by looking for a high number of failed logons (EventCode 4625) from a single source IP within a 5-minute window.
index=windows source="WinEventLog:Security" EventCode=4625 | stats count by src_ip | where count > 10 | table src_ip, count
Elastic (KQL/ES|QL) – Lateral Movement Detection:
This ES|QL query looks for a successful logon (EventCode 4624) that occurred shortly after a failed logon (EventCode 4625) from the same source IP, a common pattern for credential stuffing or password spraying.
FROM windows-security-logs | WHERE event.code == "4624" OR event.code == "4625" | SORT BY @timestamp ASC | STATS successes = COUNTIF(event.code == "4624"), failures = COUNTIF(event.code == "4625") BY source.ip, user.name | WHERE successes > 0 AND failures > 5
This query groups events by source IP and user, counting successes and failures to identify potential compromise.
Wazuh – Custom Rule for Suspicious Activity:
Wazuh allows you to create custom rules to detect specific threats. For example, to create a high-severity alert when a suspicious command is executed:
<group name="custom_rules"> <rule id="100010" level="10"> <if_sid>530</if_sid> <!-- Base rule for command execution --> <match>wget.http://malicious-domain.com</match> <description>Potential malware download detected via wget</description> </rule> </group>
This rule (ID 100010) triggers a level 10 alert when it detects a `wget` command attempting to download from a malicious domain.
- Detecting Specific Threats: Brute Force, PowerShell Abuse, and DNS Tunneling
Brute Force Detection:
Brute-force attacks (MITRE ATT&CK T1110) are characterized by a high volume of failed logon attempts (Event ID 4625) followed by a successful logon (Event ID 4624). Detection involves setting thresholds on the number of failed attempts from a single source within a specific time window.
Suspicious PowerShell Activity Monitoring:
PowerShell is a powerful tool for both administrators and attackers (MITRE ATT&CK T1059.001). To detect abuse, you must enable Script Block Logging and Module Logging.
– Enable via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
– Enable via PowerShell:
Enable Script Block Logging Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -1ame "EnableScriptBlockLogging" -Value 1
Once enabled, look for Event ID 4104 in the Windows PowerShell operational log, which contains the full script block being executed.
DNS Tunneling Detection:
DNS tunneling is a technique used for command and control (C2) or data exfiltration by encoding data within DNS queries. Detection focuses on identifying anomalies in DNS traffic.
– Unusually long DNS query names: Malicious payloads are often encoded in long subdomains.
– High volume of DNS queries: A single endpoint generating an abnormally high number of DNS requests to a single domain.
– Splunk Query for DNS Tunneling:
index=dns sourcetype=dns | eval query_length = len(query) | where query_length > 50 | stats count by src_ip, query | sort - count
This query identifies DNS queries longer than 50 characters, which could indicate tunneling activity.
5. Lateral Movement Investigation
Lateral movement (MITRE ATT&CK TA0008) is the technique attackers use to move through a network after gaining initial access. Detecting it involves correlating authentication logs.
Key Indicators:
- Unusual authentication patterns: A user account authenticating from a new or unexpected workstation.
- Pass-the-Hash (PtH): Event ID 4624 with logon type 9 (NewCredentials) or 10 (RemoteInteractive).
- RDP Logins: Event ID 4624 with logon type 10.
Detection Query (Splunk):
index=windows EventCode=4624 Logon_Type=10 | stats count by user, src_ip, dest_host | where count > 5
This query looks for multiple RDP logins (Logon Type 10) from a single user across different hosts, which could indicate lateral movement.
6. Incident Documentation & SOC Best Practices
Effective incident response relies not only on technical skills but also on clear documentation and adherence to best practices.
Incident Documentation: Every investigation should be documented, including:
- Timeline of events: When did the incident start? What were the key events?
- Scope: What systems, users, and data were affected?
- Indicators of Compromise (IOCs): IP addresses, domains, file hashes, and user accounts.
- Actions taken: What steps were taken to contain, eradicate, and recover?
- Lessons learned: What could be improved?
SOC Investigation Best Practices:
- Start with the Alert, Not the Answer: Don’t jump to conclusions. Let the data guide your investigation.
- Correlate, Don’t Isolate: Always look at events in the context of other data sources.
- Think Like an Attacker: Understand the attacker’s objectives and techniques (MITRE ATT&CK framework is invaluable here).
- Document Everything: Your documentation is your legacy and a critical resource for future investigations.
- Communicate Clearly: Translate technical findings into clear, actionable language for stakeholders.
What Undercode Say:
- Key Takeaway 1: The transition from a junior to a senior SOC analyst is marked by the ability to move beyond the alert and understand the underlying context. This requires a deep understanding of log sources, query languages, and the attacker’s mindset.
- Key Takeaway 2: Continuous learning and hands-on practice are non-1egotiable. Security threats evolve rapidly, and so must the analyst’s skills. Building a home lab to simulate attacks and test detection rules is one of the most effective ways to gain practical experience.
The modern SOC analyst is a digital detective, piecing together clues from countless log entries to uncover the truth. By mastering the skills outlined in this playbook—from log analysis and SIEM querying to threat detection and incident response—you can transform raw data into a powerful defense against cyber threats. Remember, every attack leaves traces, and every log contains evidence. The question is: are you ready to find it?
Prediction:
- -1: The increasing sophistication of AI-powered attacks will render traditional, rule-based detection methods obsolete, forcing SOC analysts to adapt to behavioral and anomaly-based detection.
- -1: The talent shortage in cybersecurity will continue to exacerbate, placing immense pressure on existing SOC teams and increasing the risk of burnout and missed detections.
- +1: However, the rise of AI and machine learning in SIEM platforms will also empower analysts, automating tedious tasks and providing richer context, allowing them to focus on high-value threat hunting.
- -1: Adversaries will increasingly leverage living-off-the-land (LotL) techniques, making it harder to distinguish between legitimate administrative activity and malicious actions.
- +1: The growing adoption of Extended Detection and Response (XDR) will break down silos between security tools, providing analysts with a more holistic view of the attack surface.
- -1: The proliferation of IoT and OT devices will introduce new, complex log sources and attack vectors that many SOCs are not prepared to handle.
- +1: However, community-driven threat intelligence sharing and open-source tools like Wazuh and TheHive will continue to democratize security, making enterprise-grade detection capabilities accessible to organizations of all sizes.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Yasinagirbas Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
