Event and Log analysis
Common Security Events, how to analyze them, and the tools to do so

Types of data we work with

These are the parsed and normalized version of the log information that comes into your SIEM. These will help you be able to search for data in specific fields, create use cases that map across log sources, and provide the next level of detail beyond what appears in an alert.Event data - This is the data behind the alert. This should be all of the available details found in the reporting log file, normalized/converted into a standard format. This normalization is key, as it is what allows your searches to work across multiple log types. Generally, if you are working out of a SOAR or SIEM, you will be dealing with event data.When investigating an event, alert, or incident, there will be three levels of data you will look at:
  • Alert data - These are essentially searches made in your data to look for specific matches. If working out of an alert queue like most security analysts, this is what you will get first. The alert should show you the search logic as well as the data points that are matched in the search.
  • Event Data - These are the event logs that your searches and use cases work off of. They are typically normalized for processing by your SIEM, parsed so you know which fields you need, and possibly filtered to limit the scope of the data you might find relevant.
  • Log data - This is the raw, unedited, un-normalized data, before it is processed by another tool. Generally if you are working with an EDR platform, application logs, or system logs, these will be giving you raw log data.
Alert data and Event data can change depending on the platform you are using. Log data and format will be specific to the type of log that is being generated. Security analysts will typically be working from Alert/Event data, and then pivot to log data if they need further investigation. Threat hunters and forensics investigators will typically use raw log data for its granular level of detail.

Understanding Log results and thier contents

Logging formats will change depending on the log, log source, application, and manufacturer. Most are super dense with information and can be difficult to parse with out any reference. Below are some collections of cheatsheets and tool outputs that can help you make sense of some of the log types you might deal with and part of an investigation.