01step · watch first
Learn how a SOC analyst reads log lines.
A five-minute primer on log correlation — auth, access, exfil. The same pattern you'll use to reconstruct the intrusion timeline in the sandbox.
▶
Lesson · SOC log triage
~5 min
≡
Summary
what to remember
- 1A SIEM alert is the trailhead, not the answer. It tells you something tripped a rule — your job is to walk the path until you have a story you can write down.
- 2Always start at
auth.log. Failed → successful login pairs from the same source IP are the bell — that's the brute force that actually worked. - 3Pivot to access logs to find sensitive reads. The session ID from auth.log is the join key — use it against
nginxor app logs to see what they touched. - 4Outbound bytes to nowhere = exfil. Check
firewall.logfor large transfers to non-RFC1918 destinations near the incident window. - 5Four log lines, one story = the flag template. User · source IP · file path · exfil destination. That's the incident report and the flag at the same time.
?
Quick check · before you continue
1 question · pick one
QA SIEM alert fires. The first log you should pull is…