Data Types from Security Output

Understanding Log Formats, Alerts, and Metadata

Section 1 of 4 0% Complete

Common Log Formats

As a SOC analyst, you'll encounter various log formats daily. Understanding their structure helps you quickly extract the information you need during investigations.

Syslog

Standard Unix/Linux logging format. Facility + Severity + Message.

Windows Event

Structured XML format with Event IDs, channels, and detailed metadata.

Firewall Log

Connection decisions: permit/deny with 5-tuple, zone, and policy info.

Web Server

Apache/Nginx combined format: IP, request, status, user agent.

Select a log type above

Log Field Extraction

Practice identifying and extracting fields from raw log data. Select a log format, then click "Parse" to see the fields extracted.

Common Log Formats Explained

Syslog (RFC 5424)

Standard structured logging format

<priority>version timestamp hostname app-name procid msgid [structured-data] message

CEF (Common Event Format)

ArcSight standard, pipe-delimited header with key=value extensions

CEF:version|vendor|product|version|signature|name|severity|extensions

JSON Logs

Structured, self-describing, easy to parse programmatically

{"timestamp": "...", "source": "...", "event_type": "...", "details": {...}}

Security Alert Types

Security tools generate alerts with varying levels of detail and confidence. Understanding alert types helps you prioritize and investigate effectively.

IDS/IPS Alerts

Signature-based detection with rule ID, classification, and packet context.

AV/EDR Alerts

Malware detection, behavioral indicators, file hashes, process trees.

SIEM Correlation

Multi-source correlation, aggregated risk scores, linked events.

UEBA Alerts

Behavioral anomalies, baseline deviation, risk scoring per entity.

Sample IDS Alert (Snort Format)

Snort Alert

IDS
[**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/03-14:22:31.123456 192.168.1.100:22 -> 10.0.0.50:52431 TCP TTL:64 TOS:0x0 ID:12345 IpLen:20 DgmLen:84 DF ***AP*** Seq: 0x12345678 Ack: 0x87654321 Win: 0x7210 TcpLen: 32

Key Alert Fields

  • Rule ID [1:2100498:7] — Generator:SID:Revision for lookup
  • Classification — Category of threat (attack, policy violation, etc.)
  • Priority — Severity level (1=high, 2=medium, 3=low)
  • 5-Tuple — Source/Dest IP:Port and protocol
  • Packet Details — TCP flags, sequence numbers, payload info

Alert Metadata Extraction

When investigating alerts, extract these key data points:

Field Purpose Next Step
Source IP Identify attacker/victim Lookup in asset inventory, threat intel
Signature/Rule ID Understand detection logic Review rule, check for false positives
Timestamp Timeline reconstruction Correlate with other events
File Hash Unique malware identifier Submit to VirusTotal, sandbox
User Account Identify compromised credentials Check login history, reset if needed

Knowledge Check

Identify the correct information from these log samples.