█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Incident Response/Detection and Analysis
40 minIntermediate

Detection and Analysis

After this lesson, you will be able to: Use logs and alerts to detect incidents and triage true positives from false positives.

Detection is the most underinvested-in piece of IR, and the most important. This lesson covers log sources, alert tuning, and how to triage.

Prerequisites:Preparation and Planning

Where signals come from

Endpoint logs (process creation, file changes). Network logs (DNS, NetFlow, proxy). Authentication logs (logins, failures, MFA challenges). Application logs (errors, business events). Cloud audit logs (CloudTrail, Azure Activity). A SIEM (Splunk, Elastic, Sentinel) centralizes them so you can search across.

Detection rules

Signature-based, exact patterns ('user agent contains nikto'). High precision, blind to novel attacks. Anomaly-based, statistical deviations ('Alice logged in from a new country at 3am'). High recall, more false positives. Behavioral, sequences ('failed logins followed by success and admin commands'). Best for chained attacks. Real programs use all three.

Events
thousands per day
▼
Alerts
hundreds
▼
Validated incidents
tens
▼
Real attacks
a handful
The SOC funnel. The whole job is separating the few real attacks from the mountain of routine noise above them.

💡 Alert fatigue is the silent killer

If you fire 10,000 alerts a day, the analyst will miss the real one. Tune ruthlessly, every 'I can ignore this' alert is a bug. Aim for fewer, higher-quality alerts; correlate where you can.

Triage workflow

Read the alert end-to-end. Pull the surrounding events for context (host, user, time window). Determine: TP (true positive), FP (false positive), or 'unclear, escalate'. Document the decision so the next analyst can learn from it. Escalate confirmed TPs through the IR plan.

Splunk-like log query

Hunt for failed logins followed by success.

tsx
index=auth event=login_failed user=*
| stats count by user, src_ip
| where count > 5
| join user [search index=auth event=login_success]
| table _time, user, src_ip, count
Quick Check

Best response to a low-fidelity alert that fires 100x/day?

Choose.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Preparation and Planning
Back to Incident Response
Containment and Eradication→