Log Analysis & SOC Investigations: A Beginner’s Guide

Cybersecurity teams rely heavily on log analysis to detect threats and respond to incidents. Logs are like footprints left behind by systems, applications, and users. By monitoring these footprints, Security Operations Center (SOC) analysts can spot suspicious activity and prevent breaches.

---

Top 10 Log Sources Every SOC Analyst Monitors

Here’s a quick overview of common log sources, where they’re stored, and why they matter:

Log Source	Location / Path	Why SOC Monitors It
Windows Security Log	C:\Windows\System32\winevt\Logs\Security.evtx	Tracks logons, failed logins, and privilege escalations.
Windows System Log	C:\Windows\System32\winevt\Logs\System.evtx	Monitors system events, driver errors, and hardware issues.
Windows Application Log	C:\Windows\System32\winevt\Logs\Application.evtx	Captures application crashes or errors.
Firewall Logs	Appliance logs / syslog	Tracks traffic, blocked connections, and policy violations.
Proxy Logs	/var/log/squid/access.log	Monitors web traffic and blocked/malicious sites.
EDR Logs	Cloud console / agent logs	Detects malware, ransomware, and suspicious processes.
DNS Logs	/var/log/named/	Tracks DNS queries, useful for detecting C2 activity.
Web Server Logs	/var/log/apache2/access.log	Monitors web requests, errors, and potential attacks.
Active Directory Logs	C:\Windows\System32\winevt\Logs\Security.evtx	Tracks account changes and privilege modifications.
VPN Logs	Appliance logs / syslog	Monitors remote access and unauthorized VPN usage.

---

Deep Dive: 2 Key Log Sources

1. Windows Security Log

Key Event IDs:

• 4624 – Successful logon

• 4625 – Failed logon

• 4672 – Special privileges assigned

How Attackers Abuse It:

• Brute-force attacks to guess passwords.

• Pass-the-hash attacks to bypass authentication.

• Using privileged accounts to hide malicious activity.

Example SIEM Query (Splunk):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
| stats count by Account_Name, Source_Network_Address
| where count > 10

---

2. Firewall Logs

Key Messages Monitored:

• Blocked inbound/outbound traffic

• Policy violations

• Remote access attempts

How Attackers Abuse It:

• Tunneling to bypass rules.

• IP spoofing to appear trusted.

• Exploiting misconfigured firewall rules.

Example SIEM Query (Splunk):

index=firewall_logs action=blocked
| stats count by src_ip, dest_ip, dest_port
| where count > 5

---

Why Log Monitoring is Critical

• Detects security threats early

• Helps investigate suspicious activity

• Ensures regulatory compliance

• Prevents data breaches and system compromises

By combining logs from multiple sources and using SIEM tools, SOC analysts can proactively protect an organization’s network.

---

💡 Pro Tip: For beginners, start by monitoring Windows Security Logs and Firewall Logs. Once comfortable, expand to DNS, EDR, and Proxy logs for better visibility.