📊 Log Sources Matrix

Comprehensive mapping of log sources to use cases and detection scenarios

Log Source Key Events Use Cases Retention Volume/Day
Windows Security
4624 - Successful Logon
4625 - Failed Logon
4688 - Process Creation
4672 - Special Privileges
 Auth Malware Forensics 90 days ~500MB
Sysmon
ID 1 - Process Create
ID 3 - Network Connection
ID 7 - Image Loaded
ID 10 - Process Access
 Malware Network Forensics 30 days ~2GB
Firewall
Allow/Deny Traffic
NAT Translations
VPN Connections
IPS/IDS Alerts
 Network Data Loss Malware 60 days ~5GB
Proxy/Web Gateway
URL Access
File Downloads
Blocked Sites
SSL Inspection
 Data Loss Malware Compliance 30 days ~10GB
Active Directory
4720 - User Created
4728 - Member Added to Group
4732 - Admin Group Change
4768 - Kerberos TGT
 Auth Compliance Forensics 180 days ~200MB
Email Security
Spam Detection
Phishing Attempts
Malware in Attachments
DLP Violations
 Malware Data Loss Compliance 90 days ~1GB
DNS
Query/Response
NXDOMAIN
Zone Transfers
Cache Poisoning
 Malware Network Data Loss 14 days ~20GB
EDR/XDR
Process Behavior
File Modifications
Registry Changes
Network Activity
 Malware Forensics Network 60 days ~3GB
Cloud (AWS/Azure)
CloudTrail/Activity Log
S3/Blob Access
IAM Changes
Resource Creation
 Auth Compliance Data Loss 365 days ~500MB
Database
Login Success/Failure
Query Execution
Schema Changes
Privilege Escalation
 Auth Data Loss Compliance 90 days ~2GB

🖥️ Operating System Logs

  • Windows Event Log
    Security, System, Application, Setup, Forwarded Events
  • Linux Syslog
    /var/log/auth.log, messages, secure, audit.log
  • macOS Unified Log
    system.log, install.log, security logs

🌐 Network Infrastructure

  • Firewall Logs
    Traffic logs, threat logs, URL filtering, WildFire
  • IDS/IPS
    Snort, Suricata alerts, packet captures
  • VPN Logs
    Connection logs, authentication, bandwidth usage

🔒 Security Tools

  • Antivirus/EDR
    Detection events, quarantine, behavioral analysis
  • DLP Solutions
    Policy violations, data movement, user activity
  • CASB
    Cloud app usage, shadow IT, risk scores

📱 Application Logs

  • Web Server
    Access logs, error logs, SSL logs
  • Database
    Query logs, error logs, audit logs
  • Application
    Custom app logs, API logs, transaction logs

☁️ Cloud Services

  • AWS CloudTrail
    API calls, resource changes, IAM activity
  • Azure Activity Log
    Resource operations, service health, autoscale
  • GCP Cloud Logging
    Admin activity, data access, system events

👤 Identity & Access

  • Active Directory
    Authentication, group changes, policy modifications
  • LDAP
    Bind operations, searches, modifications
  • SSO/SAML
    Federation events, token issuance, MFA

🚨 Critical Windows Event IDs

4624
Successful Logon
Track all authentication especially Type 3 (network) and Type 10 (RDP)
4625
Failed Logon
Brute force detection, password spraying
4688
Process Creation
Track process execution with command line
4648
Explicit Credentials
RunAs usage, lateral movement
4672
Special Privileges
Admin logons, privilege use
4720
User Created
New account creation
4732
Added to Admins
Privilege escalation
7045
Service Installed
Persistence mechanism

📈 Daily Log Volume Estimation (1000 endpoints)

20 GB
10 GB
5 GB
3 GB
2 GB
1 GB
DNS
Proxy
Firewall
EDR
Sysmon
Auth

📝 Example Parsing Rules

Windows Security Event 4624 Parser
^(\S+\s+\S+)\s+(\S+)\s+(\S+)\s+(\d+)\s+Microsoft-Windows-Security-Auditing.*
EventID: 4624
Logon Type: (\d+)
Account Name: (\S+)
Account Domain: (\S+)
Logon ID: (0x[0-9A-Fa-f]+)
Source Network Address: (\S+)
Apache Access Log Parser
^(\S+)\s+\S+\s+(\S+)\s+\[([^\]]+)\]\s+"(\S+)\s+([^\s]+)\s+(\S+)"\s+(\d+)\s+(\d+)\s+"([^"]+)"\s+"([^"]+)"
Fields: src_ip, user, timestamp, method, uri, protocol, status, bytes, referrer, user_agent
Syslog Parser
<(\d+)>(\S+\s+\d+\s+\d+:\d+:\d+)\s+(\S+)\s+(\S+)\[(\d+)\]:\s+(.*)
Fields: priority, timestamp, hostname, program, pid, message

💡 SIEM Integration Best Practices

Time Sync: Ensure all log sources use NTP for accurate correlation
Parsing: Test parsers with sample logs before production deployment
Filtering: Filter noise at source to reduce SIEM load (e.g., successful DHCP)
Enrichment: Add context like GeoIP, AD info, asset criticality
Retention: Balance compliance requirements with storage costs
Monitoring: Alert on log source failures or volume anomalies