Day4 labs Log monitoring

Question 1

Two Main Log Sources:

Answer 1

Host-Centric Logs
Network-Centric Logs

Question 2

Logs that originate from inside a system (the host). Examples:

File access

Login attempts

Processes running

Registry modifications

Answer 2

Host-Centric Logs

Question 3

Logs that show interaction between systems. Examples:

SSH connections

FTP file access

Web traffic

VPN connections

Answer 3

Network-Centric Logs

Question 4

Is Registry Activity host- or network-centric?

Answer 4

host-Centric

Question 5

Is VPN activity host- or network-centric?

Answer 5

Network-Centric

Question 6

……………..Adding extra information to logs (e.g., resolving IPs to locations, tagging users, identifying threat intel indicators).

Answer 6

Enrichment

Question 7

Logs can be stored in

Answer 7

Local Systems: Where the logs are generated.

Centralized Repositories: Like internal servers or SIEM tools.

Cloud Storage: Services like AWS S3, Azure Blob, etc.

Question 8

Log Retention

Answer 8

Hot Storage 0–6 months Fast access, real-time queries, often used in daily ops.

Warm Storage 6 months–2 years Slightly slower, used for historical analysis.

Cold Storage 2–5 years Archived, compressed, not easily accessible, long-term use.

Question 9

Log Deletion

Answer 9

Why deletion must be controlled:

You don’t want to delete logs that might still be useful.

Deletion must follow retention and backup policies.

Always back up critical logs before deletion.

📏 Why organizations delete logs:

Keep logs manageable for analysis.

Comply with regulations like GDPR (don’t keep unnecessary user data).

Reduce storage and processing costs.

Question 10

YARA and Sigma

Answer 10

YARA: Used for identifying and classifying malware samples based on textual or binary patterns.

Sigma: A generic signature format for SIEM systems, allowing the creation of rules to detect suspicious log events.