How is everyone teaching log analysis?

[Lee McWhorter]

Hello all,

Given that understanding and interpreting logs is a critical skill needed to pass the CySA+ exam, I was curious how others are teaching log analysis. I tend to use GNS3 and/or stand-along Virtual Machines and have some activities where I have folks interact with server processes (http, mail, ssh, etc.) and watch the logs. I also like to have my students run basic attacks from one appliance and watch the logs in real-time on the target appliance as the attacks play out. What is everyone else doing in this area?

 

[jasoneckert]

I start by having students create a PowerShell script to parse security-related events on a Win10 system (the ones here: https://www.csoonline.com/article/3...ows-10-security-event-log-ids-to-monitor.html). Once they grab the right events, I make sure they have the output reduced/formatted properly.

Then we do the same thing on an Ubuntu Server VM using a Bash script alongside grep/awk (as described here: https://www.xplg.com/linux-security-investigate-suspected-break-in/).

This gets them to practice the core underlying skills needed to parse events. But in real life, they're likely going to be working in a SOC or for an MSP that drops a SIEM appliance in customer locations and remotely monitors them. So they'll have to know how to make rules in their IDS/IPS/SIEM environment to continually streamline the processing of suspicious traffic so that real security events are identified and harmless suspicious events are ignored.

So after that, I have them install Bro in their Linux VM and have them perform various network attacks (e.g. OWASP ZAP in attack mode) from a Kali VM to see how Bro responds. Then we identify key events related to the attack as well as events that are suspicious but harmless (this depends on your environment and the interpretation here is key). After that, I guide them through Bro-Script and have them craft tasks for the policy engine to apply to future traffic in order to flag known serious events and not be triggered by harmless ones.

Then we do the exact same thing but with the easy graphical interfaces of Security Onion and Alienvault OSSIM, as well as discuss how to research and identify harmless and potentially harmful traffic, classifications like "Generic protocol common decode", and how to continuously apply rules to narrow down the data to make it easier to identify potential malicious activity.

Overall, it's a big topic that takes about 40 hours of my class time.

 

[Tess Sluijter]

I should search for it again, but I recall there being a great Github project which collected aaaaalll kinds of log samples to analyze.

EDIT:

Here's one of them -> https://github.com/logpai/loghub

Loghub maintains a collection of system logs, which are freely accessible for research purposes. Some of the logs are production data released from previous studies, while some others are collected from real systems in our lab environment. Wherever possible, the logs are NOT sanitized, anonymized or modified in any way. All these logs amount to over 77GB in total. We thus host only a small sample (2k lines) on Github for each dataset.

Meaning, the Github project has a tiny part of the samples, and you can pull a HUGE amount of data in through their project.

 

[Dan S.]

Thanks for sharing the link! That would be my go-to for finding logs to analyze when you don't have time/resources to create your own. Old CTF challenges would be good mini-samples too, so finding suspect or malicious activity.