β Day 8 β Windows & Linux Security Logs Deep Dive
Today students will learn:
- How to read Windows security logs (Event IDs)
- How to read Linux security logs (
auth.log,syslog) - How to detect attacks using these logs
- How to search effectively in Splunk
π§ 1. Why Windows & Linux Logs Are Important for SOC
In real SOC:
πΉ 80% of alerts come from Windows logs
πΉ 20% from Linux logs
These logs help detect:
- Brute force
- Lateral movement
- Privilege escalation
- Persistence
- Malware execution
- Admin misuse
π¦ 2. Windows Security Logs
Windows logs use Event ID numbers.
SOC analysts must know these common ones:
π₯ Top Windows Event IDs (with simple meaning)
4624 β Successful Login
User logged in successfully.
Important fields:
- Logon_Type
- IP
- Username
4625 β Failed Login
Wrong password / brute force attempts.
4648 β Logon Using Explicit Credentials
Hacker using βrunasβ or stolen password.
4672 β Special Privileges Assigned
User became Admin.
Possible privilege escalation.
4720 β New User Created
Possible persistence technique.
4732 β User Added to Admin Group
High risk β attacker gaining control.
7045 β New Service Installed
Can indicate malware persistence.
π Windows Logon Types (Very important)
This helps identify MITRE tactics quickly.
| Logon Type | Meaning | Attack Use |
|---|---|---|
| 2 | Local login | Internal user |
| 3 | Network login | SMB, file share |
| 4 | Batch | Scheduled tasks |
| 5 | Service | Malware installs |
| 7 | Unlock workstation | Not suspicious |
| 10 | Remote Login (RDP) | Lateral movement |
| 11 | Cached login | Offline login |
π 3. Splunk Queries for Windows Logs
Successful Logins (4624)
index=* EventCode=4624
Failed Logins (4625)
index=* EventCode=4625
RDP Logins (Logon Type 10)
index=* EventCode=4624 Logon_Type=10
New User Created (Attack Possible)
index=* EventCode=4720
Privilege Escalation (4672)
index=* EventCode=4672
π© 4. Linux Security Logs β Explaining Auth.log & Syslog
Linux stores logs in:
/var/log/auth.log
/var/log/syslog
π₯ Common Linux Log Patterns (Easy)
Failed SSH Login
Failed password for invalid user
Successful SSH Login
Accepted password for user
User Switching (sudo)
sudo: user : TTY=pts/0 ; PWD=/home ; COMMAND=/bin/bash
New user added
useradd[1234]: new user: name=bob uid=1002
Root login
session opened for user root
π Splunk Queries for Linux Logs
Failed SSH logins
index=* "Failed password"
Successful SSH logins
index=* "Accepted password"
Sudo commands
index=* "sudo"
Root access
index=* "session opened for user root"
New user created
index=* "useradd" OR "adduser"
π§ͺ 5. Day 8 Hands-On Tasks
Task 1 β Detect brute force on Windows
index=* EventCode=4625
| stats count by Account_Name, IpAddress
Task 2 β Detect SSH brute force on Linux
index=* "Failed password"
| stats count by src_ip
| where count > 5
Task 3 β Detect RDP lateral movement
index=* EventCode=4624 Logon_Type=10
Task 4 β Detect new admin user (Windows)
index=* EventCode=4732
Task 5 β Detect root login (Linux)
index=* "session opened for user root"
π€ Trainer Script (Say This in Class)
βWindows and Linux logs tell the real story of what happened.
As a SOC analyst, if you can read logs, you can detect attacks.
Logs + MITRE = professional detection skills.β
π Homework
Students submit:
- One Windows Event ID
- One Linux log pattern
- Splunk query
- MITRE mapping
Example:
- EventCode 4625
- Failed SSH password
- MITRE T1110 Brute Force
"Share Knowledge" 
Leave a comment