Chapter 104 · Security Operations

Log Data

Security log sources from firewalls to metadata, SIEM correlation, real-time dashboards, vulnerability scan data, and packet captures — understanding what each log type provides and how analysts combine them to detect and investigate incidents.

Confidential
Report ID: LOG-2024-001Domain: Security OperationsTopic: Firewall, Application & Endpoint Logs

Firewall, Application, and Endpoint Logs

Security monitoring depends on visibility into what is happening across the environment. Different log sources provide different perspectives. No single log type provides complete visibility; effective security operations require correlating multiple log sources through a SIEM (Security Information and Event Management) platform.

Firewall Logs

Firewall logs record every connection attempt that passes through the firewall, whether permitted or denied. Standard firewall log fields:

Next-generation firewall (NGFW) additions: Traditional firewalls operate at Layer 3/4 (IP and port). NGFWs add:

Firewall logs show what was allowed or denied at the perimeter. They do not show what happened after a connection was established or inside permitted traffic. IDS/IPS logs fill that gap.

Application Logs

Application logs record events generated by software: successful and failed logins, data access, transactions, errors, and configuration changes. Location varies by platform:

Application logs are critical for detecting account-based attacks: repeated failed logins, privilege escalation, access to sensitive data outside normal patterns.

Endpoint Logs

Endpoint logs capture activity on individual workstations and servers: authentication events, policy changes, process execution, file system changes, and network connections. When forwarded to a SIEM, endpoint logs from thousands of systems can be correlated to identify:

OS Security Logs

Operating system security logs provide authentication details beyond what application logs capture: specific credential types used, logon session IDs, account lockout events, file permission changes, and audit policy changes. OS security logs are especially valuable for detecting brute force attacks (repeated 4625 events on Windows), privilege escalation (local group membership changes), and covering of tracks (audit log clearing — which itself generates a log event). Because OS security logs are extremely verbose, filtering rules are required before forwarding to SIEM to avoid overwhelming storage and correlation capacity.

Confidential
Report ID: LOG-2024-002Domain: Security OperationsTopic: IPS, Network & Metadata Logs

IPS, Network, and Metadata Logs

IPS/IDS Logs

Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) logs record detected attack signatures and anomalies. Standard IPS/IDS log fields:

Modern NGFWs typically integrate IPS functionality. Standalone IDS sensors (passive, detection only) are also deployed at network taps for deep traffic analysis. IPS logs must be correlated with firewall logs: an IPS alert on traffic that the firewall should have blocked indicates a firewall misconfiguration.

Network Logs

Network infrastructure devices generate logs that provide visibility into traffic patterns and connectivity:

DeviceWhat Logs CaptureSecurity Value
SwitchesMAC address table changes, port state changes, VLAN events, spanning tree eventsDetect rogue devices, VLAN hopping attempts, MAC flooding
RoutersRouting table changes, interface state, ACL hits, BGP eventsDetect routing manipulation, unauthorized path changes
Wireless access points (WAPs)Client associations/disassociations, authentication events, channel changes, signal levelsDetect rogue clients, de-authentication attacks, evil twin APs
VPN concentratorsUser authentication, tunnel establishment/teardown, source IP of connections, data volumes per sessionDetect credential stuffing against VPN, unusual geographic origin, large data transfers

Metadata

Metadata is data that describes other data. It is distinct from content: metadata tells you who, when, where, and how — without requiring analysis of the content itself.

Metadata proves facts without requiring content analysis. An email header showing an authentic-looking sender address relayed through a compromised server in Eastern Europe is forensically significant even without reading the email body.
Confidential
Report ID: LOG-2024-003Domain: Security OperationsTopic: Vulnerability Scans, SIEM, Dashboards & Packet Captures

Vulnerability Scans, SIEM, Dashboards, and Packet Captures

Vulnerability Scan Data

Vulnerability scanners (Nessus, Qualys, OpenVAS) probe systems for known vulnerabilities and produce detailed reports. Vulnerability scan data provides:

Vulnerability scan data combined with IPS logs enables prioritization: an IPS alert for an exploit of CVE-XXXX is critical if vulnerability scans confirm that CVE-XXXX is present on the targeted system, and lower priority if the system is already patched.

SIEM: The Central Correlation Platform

A SIEM (Security Information and Event Management) platform ingests logs from all sources, normalizes them into a common format, correlates events across sources using rules, and generates alerts. SIEM capabilities:

Dashboards: Real-Time Visibility (Not Long-Term)

Security dashboards provide real-time or near-real-time visualization of current security status: active alerts, traffic volumes, authentication activity, top blocked IPs. Dashboards are designed for current situational awareness — they are not historical analysis tools. Key distinction:

A dashboard shows the current state; a SIEM report shows historical trends. Both are needed: dashboards for operations center monitoring, reports for compliance and management review.

Packet Captures

Packet captures (pcap files, analyzed with Wireshark) record the complete content of network traffic at the deepest possible level of detail. Packet captures capture everything: source and destination IPs, ports, protocols, and the full payload of each packet. Uses in security:

Packet captures are the deepest level of network visibility but have significant limitations at scale: storage requirements are enormous (a 10 Gbps link generates terabytes per day), and legal/privacy constraints limit where packet capture can be deployed (especially for encrypted traffic and in jurisdictions with strict privacy laws). Full packet capture is typically restricted to specific segments (DMZ, critical servers) rather than deployed pervasively.

Log/Data SourcePrimary Security ValueLimitation
Firewall logsPermitted/denied connections at perimeterDoes not show post-connection activity
Application logsAccount activity, data access, errorsApplication-specific; no network context
Endpoint logsHost-level activity; SIEM correlationExtremely verbose; requires filtering
IPS/IDS logsDetected attack signaturesOnly known signatures; misses novel attacks
MetadataContext without content; email tracingDoes not reveal content of communications
Vulnerability scansAttack surface visibilityPoint-in-time; misses new vulnerabilities
SIEMCross-source correlation; historical retentionOnly as good as its rules and ingested sources
DashboardsReal-time situational awarenessNot designed for historical analysis
Packet capturesDeepest network detail; full payloadStorage-intensive; privacy constraints