After this lesson, you will be able to: Use logs and alerts to detect incidents and triage true positives from false positives.
Detection is the most underinvested-in piece of IR, and the most important. This lesson covers log sources, alert tuning, and how to triage.
Endpoint logs (process creation, file changes). Network logs (DNS, NetFlow, proxy). Authentication logs (logins, failures, MFA challenges). Application logs (errors, business events). Cloud audit logs (CloudTrail, Azure Activity). A SIEM (Splunk, Elastic, Sentinel) centralizes them so you can search across.
Signature-based, exact patterns ('user agent contains nikto'). High precision, blind to novel attacks. Anomaly-based, statistical deviations ('Alice logged in from a new country at 3am'). High recall, more false positives. Behavioral, sequences ('failed logins followed by success and admin commands'). Best for chained attacks. Real programs use all three.
Read the alert end-to-end. Pull the surrounding events for context (host, user, time window). Determine: TP (true positive), FP (false positive), or 'unclear, escalate'. Document the decision so the next analyst can learn from it. Escalate confirmed TPs through the IR plan.
Hunt for failed logins followed by success.
index=auth event=login_failed user=*| stats count by user, src_ip| where count > 5| join user [search index=auth event=login_success]| table _time, user, src_ip, count
Choose.
Sign in and purchase access to unlock this lesson.