⭐ Day 15 – Understanding Network Logs (Firewall, DNS, Proxy, VPN) for SOC

Today students learn how to analyze network traffic logs, which is critical for:

• Threat hunting
• Investigations
• Incident response
• Correlating attacks
• Detecting early signs of compromise

🧠 1. Why Network Logs Are Important

Endpoint logs show what happened inside the machine.

But network logs show who the machine is talking to.

Network logs reveal:

• Command & Control communication
• Malware traffic
• Phishing domain traffic
• Data exfiltration
• Internal lateral movement
• Unusual VPN activity
• DNS-based attacks

🔥 2. Types of Network Logs Every SOC Analyst Must Know

1️⃣ Firewall Logs

Show allowed/blocked network connections.

Important fields:

• src_ip
• dest_ip
• src_port
• dest_port
• action (ALLOW / DENY)
• protocol
• bytes_in / bytes_out

2️⃣ DNS Logs

Show domain name lookups.

Used to detect:

• Malware contacting CNC servers
• DNS tunneling
• Suspicious domains (.xyz, .top, .vip)
• Phishing infrastructure

Important fields:

• queried_domain
• response
• client_ip

3️⃣ Proxy Logs (Web Logs)

Show web browsing traffic.

Used to detect:

• Access to malicious URLs
• Download of malware
• Suspicious file extensions
• User web behavior

Important fields:

• URL
• HTTP method
• status code
• category
• user_agent

4️⃣ VPN Logs

Show remote access activity.

Used to detect:

• Unknown logins
• Logins from unusual countries
• Multi-login same account
• Stolen credentials

Important fields:

• user
• country
• login time
• source IP

🔍 3. Splunk Queries for Network Logs

🔥 Firewall Log Example

Detect blocked connections:

index=firewall action=deny
| stats count by src_ip, dest_ip, dest_port

Detect port scans:

index=firewall 
| stats count by src_ip, dest_port 
| where count > 20

🔥 DNS Log Example

Detect suspicious domains:

index=dns 
| search queried_domain="*.xyz" OR "*.top" OR "*.vip"

Detect DNS tunneling (lots of requests):

index=dns 
| stats count by client_ip 
| where count > 1000

🔥 Proxy Log Example

Detect malware URLs:

index=proxy 
| search url="*.exe" OR "*.dll" OR "*.zip"

Detect phishing:

index=proxy 
| search url="login" AND "verify" AND "update"

🔥 VPN Log Example

Detect login from new country:

index=vpn 
| stats values(country) count by user
| where count > 1

Detect too many VPN logins:

index=vpn 
| stats count by user 
| where count > 5

🧩 4. MITRE Technique Mapping (SOC Must Know)

🛠 5. Day 15 Hands-On Lab

Task 1 – Find blocked connections in firewall logs

index=firewall action=deny

Task 2 – Find high DNS activity

index=dns | stats count by client_ip

Task 3 – Find suspicious file downloads

index=proxy url="*.exe"

Task 4 – Find suspicious VPN logins

index=vpn | stats count by user

Task 5 – Create a Network Overview Dashboard

Panels:

• Top Firewall Blocks
• Top DNS Requests
• Top Web Requests
• VPN Login Activity

🎤 Trainer Script for Class

“Network logs show attacker movement across the network.
Endpoint logs show what happened inside the machine.
Combining both gives complete attack visibility.”

📝 Homework for Day 15

Students submit:

1. One firewall query
2. One DNS query
3. One proxy query
4. One VPN query
5. MITRE mapping