Section 3

You arrive at the company were the security operations lead is expecting you. He describes to you the nature of the incident and how they discovered someone has been exfiltrating information from their networks. After enquiring about the initial context, what is the first question you ask he/she?: show me your logs man!. More often than not, these logs will come in multiple different ways and won’t be centralized, heck not even the time offset of their timestamps will be in synch! Learning the art of log parsing, aggregation and exploration is an essential tool in your tradecraft.