Interpret operating system, SIEM, SOAR platform, application, or command line logs to identify an event

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

---

In cybersecurity investigations, evidence is the information you use to figure out what happened during a security incident. Logs are a major source of this evidence. Different logs provide different types of evidence, and understanding this is key for the exam.

1. Types of Evidence in IT Security

Evidence can be categorized as:

1. Network Evidence
   • Comes from network devices like firewalls, routers, switches, and intrusion detection/prevention systems (IDS/IPS).
   • Example logs: firewall allow/deny logs, router connection logs, IDS alerts.
   • Use: To see suspicious network connections, blocked attempts, or unusual traffic patterns.
2. Host/Operating System Evidence
   • Comes from servers or user devices.
   • Example logs:
     • Windows Event Logs (Security, System, Application)
     • Linux /var/log/syslog or /var/log/auth.log
   • Use: To track user logins, failed login attempts, system errors, or application crashes.
3. Application Evidence
   • Comes from software applications running on hosts.
   • Example logs:
     • Web server logs (Apache access.log and error.log)
     • Database logs (failed queries, login attempts)
     • Email server logs
   • Use: To find malicious activity at the application level, like SQL injection attempts, abnormal requests, or unauthorized access.
4. Security Platform Evidence
   • Comes from centralized security tools.
   • SIEM (Security Information and Event Management) logs: Collect and correlate logs from multiple devices.
     • Example: Alert from correlated failed login attempts across multiple servers.
   • SOAR (Security Orchestration, Automation, and Response) logs: Track automated responses to threats.
     • Example: Log showing an automatic quarantine of a compromised endpoint.
   • Use: To see trends, patterns, and automated actions in an incident.
5. Command Line Evidence
   • Logs or outputs from commands run on hosts.
   • Example:
     • who, last, ps, netstat, iptables logs
     • PowerShell logs (Get-EventLog)
   • Use: To manually inspect what is happening on a host, such as active processes or network connections.

---

Key Point for the Exam

• You should identify the type of evidence by looking at the log content.
• For example:
  • If it shows IP addresses and traffic flow → network evidence
  • If it shows failed login attempts → host/OS evidence
  • If it shows web requests → application evidence
  • If it shows correlated alerts → SIEM/SOAR evidence
  • If it’s output from a command → command line evidence

---

3.5 Interpret Operating System, SIEM, SOAR, Application, or Command Line Logs to Identify an Event

Once you know the type of log, the next step is reading it to detect an event. Events are actions or changes that could indicate normal activity, misconfigurations, or security incidents.

1. Operating System Logs

Windows Event Logs

• Security log: login success/failure, account lockouts.
• System log: driver issues, hardware problems.
• Application log: software crashes, service errors.

Linux Logs

• /var/log/auth.log: login attempts.
• /var/log/syslog or /var/log/messages: system and service messages.
• /var/log/kern.log: kernel-related messages.

Interpretation Example:

• Multiple failed logins followed by a successful login → possible brute-force attack.

---

2. SIEM Logs

• SIEM aggregates logs from multiple sources and correlates them.
• Example:
  • Failed login on 5 servers from the same IP → SIEM raises an alert.
• Interpretation:
  • Helps detect patterns you wouldn’t see from a single host.
• Key fields:
  • Timestamp, source IP, username, event ID, severity.

---

3. SOAR Logs

• SOAR tracks automated actions taken after detecting incidents.
• Example:
  • Quarantined a machine after detecting malware.
• Interpretation:
  • You can see what the system did automatically and why.
• Useful for audit trails and incident response verification.

---

4. Application Logs

• Examples:
  • Web server: 192.168.1.10 POST /login 401 → failed login attempt.
  • Database: Failed login for user admin from IP 10.0.0.5.
• Interpretation:
  • Check for abnormal behavior such as repeated errors, unusual access patterns, or unauthorized commands.

---

5. Command Line Logs

• Examples:
  • ps -ef → shows running processes.
  • netstat -an → shows network connections.
  • PowerShell logs → show executed scripts.
• Interpretation:
  • You can detect malware running as a process, suspicious network connections, or unauthorized commands.

---

Tips for Interpreting Logs

1. Check timestamps: Helps determine the sequence of events.
2. Look for anomalies: Unusual logins, high traffic, errors.
3. Correlate logs: Compare logs from multiple sources to get a full picture.
4. Identify severity: Not all events are critical; classify them as low, medium, high.
5. Understand context: Know normal behavior for the system to spot unusual events.

---

Summary for Students

1. Identify evidence type first:
   • Network, host/OS, application, SIEM/SOAR, command line.
2. Read logs carefully:
   • Check timestamp, user, source IP, and event type.
3. Interpret event:
   • Failed login → brute force attempt.
   • Multiple alerts → coordinated attack.
   • Quarantined endpoint → automated response worked.
4. Correlate across systems:
   • Combine network, OS, and application logs to get full understanding.

---

✅ Exam Focus:

• You may be given a log snippet and asked:
  1. What type of evidence is this?
  2. What event does this log indicate?

Always answer systematically:

• Evidence type → What the log represents
• Event → What happened and what might it indicate