Security Log Library

Browse our comprehensive library of security log analysis guides. Learn to investigate Windows Event IDs, web server errors, authentication attacks, and advanced threat patterns.

41
Log Guides
4
Categories

Windows Security Events

6 guides

Critical Windows Event IDs every security analyst should monitor — failed logons, privilege escalation, Kerberos attacks, and audit tampering.

Windows Event 1102 — Security Audit Log Cleared
Investigate Windows Event 1102, logged when the Security event log is cleared. This is a critical indicator of anti-forensic activity and evidence tampering ...
Windows Security Anti-Forensics / Evidence Tampering P1
Windows Event 4698 — Scheduled Task Created
Track Windows Event 4698 to detect malicious scheduled tasks. Attackers use scheduled tasks for persistence, privilege escalation, and lateral movement in co...
Windows Security Persistence / Scheduled Task Abuse P2
Windows Event 4769 — Kerberos Service Ticket Requested
Monitor Windows Event 4769 to detect Kerberoasting attacks, lateral movement, and abnormal service ticket requests. Essential for securing Active Directory e...
Windows Security Kerberoasting / Lateral Movement P2
Windows Event 4776 — NTLM Credential Validation
Analyze Windows Event 4776 to monitor NTLM authentication attempts. Detect pass-the-hash attacks, legacy protocol abuse, and credential validation failures a...
Windows Security Pass-the-Hash / NTLM Abuse P2
Windows Event 4719 — System Audit Policy Changed
Monitor Windows Event 4719, generated when the system audit policy is modified. Detect defense evasion where attackers disable logging to cover their tracks ...
Windows Security Defense Evasion / Audit Tampering
Windows Event 4771 — Kerberos Pre-Authentication Failed
Investigate Windows Event 4771, logged when Kerberos pre-authentication fails. Detect password guessing, brute force via Kerberos, and locked-out service acc...
Windows Security Kerberos Brute Force

Web Server Logs

12 guides

HTTP error codes from IIS, Nginx, and Apache that indicate scanning, brute force, injection attacks, and directory traversal attempts.

IIS 401 Error — Unauthorized Access Attempt
Diagnose IIS HTTP 401 Unauthorized errors. Learn how to detect brute force attacks, misconfigured authentication, and credential theft targeting your IIS web...
IIS Brute Force / Authentication Bypass P1
Apache Directory Traversal Attack Detection
Detect directory traversal attacks in Apache access logs. Identify path traversal sequences targeting sensitive files and learn mitigation strategies for Apa...
Apache Directory Traversal / LFI P2
IIS 403 Directory Traversal Detection
Detect directory traversal attacks in IIS logs. Learn to identify path traversal sequences (../) that attempt to access files outside the web root for data e...
IIS Directory Traversal P2
IIS 403 Error — Forbidden Access Denied
Troubleshoot IIS HTTP 403 Forbidden errors. Detect directory listing exposure, IP restriction bypasses, and unauthorized resource access targeting your web s...
IIS Reconnaissance / Access Violation P2
IIS 500 Error — Internal Server Error
Diagnose IIS HTTP 500 Internal Server Errors. Identify application crashes, injection attacks, and server misconfigurations that expose vulnerabilities in yo...
IIS Application Exploit / Injection P2
Nginx 403 Forbidden — Access Denied
Troubleshoot Nginx 403 Forbidden errors. Detect unauthorized access attempts, directory listing exposure, and misconfigured permissions on your Nginx web ser...
Nginx Reconnaissance / Misconfiguration P2
Apache 403 Forbidden — Access Denied
Diagnose Apache HTTP 403 Forbidden errors. Detect unauthorized access attempts, .htaccess misconfigurations, and mod_security blocks on your Apache web server.
Apache Reconnaissance / Access Violation
Apache 500 Internal Server Error
Troubleshoot Apache HTTP 500 Internal Server Errors. Identify application crashes, injection exploits, and .htaccess misconfigurations causing server-side fa...
Apache Application Exploit / Misconfiguration
IIS 404 Error — Page Not Found
Analyze IIS HTTP 404 Not Found errors. Distinguish between benign broken links and active reconnaissance where attackers probe your web server for vulnerabil...
IIS Reconnaissance / Scanning
Nginx 404 Not Found — Missing Resource Detection
Analyze Nginx 404 Not Found errors. Identify web vulnerability scanning, broken links, and automated reconnaissance targeting your Nginx server infrastructure.
Nginx Reconnaissance / Scanning
Nginx 499 Client Closed Request
Investigate Nginx 499 errors, a non-standard status indicating the client closed the connection before the server responded. Detect DDoS patterns, timeout is...
Nginx DDoS / Slowloris / Timeout
Apache 404 Not Found — Missing Resource Analysis
Analyze Apache 404 errors to distinguish between broken links and active vulnerability scanning. Detect automated reconnaissance and directory enumeration ag...
Apache Reconnaissance / Scanning

Authentication Attacks

13 guides

Patterns of credential abuse including brute force, password spraying, credential stuffing, and impossible travel across all platforms.

Admin Login Attack Detection
Detect attacks targeting administrative accounts. Monitor privileged account authentication for brute force, credential stuffing, and unauthorized access att...
Multi-Platform Admin Account Targeting P1
Brute Force Attack Log Analysis
Comprehensive guide to detecting brute force attacks across all platforms. Learn to identify, analyze, and respond to automated password guessing attacks usi...
Multi-Platform Brute Force P1
Credential Stuffing Attack Logs
Identify credential stuffing attacks in your authentication logs. Detect automated login attempts using stolen credential pairs from data breaches targeting ...
Web Application Credential Stuffing P1
Password Spraying Attack Detection
Detect password spraying attacks across your authentication infrastructure. Learn the patterns that distinguish spraying from brute force and how to protect ...
Multi-Platform Password Spraying P1
RDP Brute Force Attack Detection
Detect RDP brute force attacks using Windows Event logs. Protect Remote Desktop Protocol from automated password guessing with proper monitoring and hardenin...
Windows Security RDP Brute Force P1
SSH Brute Force Attack Detection
Detect and respond to SSH brute force attacks by analyzing auth.log patterns. Learn to identify automated password guessing, block attackers, and harden your...
Linux Auth Brute Force P1
SSH Failed Login Analysis
Analyze SSH failed login events in Linux auth logs. Distinguish between typos, misconfigurations, and active attacks by understanding failed authentication p...
Linux Auth Authentication Failure P1
Impossible Travel Login Detection
Detect impossible travel anomalies where a user authenticates from geographically distant locations in an impossibly short timeframe, indicating credential c...
Multi-Platform Account Compromise / Impossible Travel P2
Kerberos Authentication Failure Investigation
Investigate Kerberos authentication failures including AS-REP Roasting, Kerberoasting, ticket manipulation, and protocol-specific attack patterns in Active D...
Windows Security Kerberos Attack P2
Multiple Login Failures — Pattern Analysis
Analyze patterns of multiple login failures to distinguish between user mistakes, system misconfigurations, and active security attacks across any authentica...
Multi-Platform Authentication Attack P2
Service Account Abuse Detection
Detect unauthorized use of service accounts in your environment. Identify stolen service credentials, Kerberoasting targets, and service account misuse for l...
Windows Security Service Account Compromise P2
Suspicious Login Attempt Detection
Identify suspicious login attempts through behavioral analysis. Detect compromised accounts, unauthorized access, and social engineering by recognizing anoma...
Multi-Platform Account Compromise / Anomalous Access P2
Windows Authentication Failure Analysis
Comprehensive guide to analyzing Windows authentication failures across NTLM, Kerberos, and local logon. Detect attacks and troubleshoot legitimate access is...
Windows Security Authentication Failure P2

Attack Patterns & Techniques

10 guides

Advanced attack techniques detected through log analysis — DDoS, SQL injection, XSS, lateral movement, PowerShell abuse, and privilege escalation.

DDoS Attack Log Analysis
Detect and analyze DDoS attacks in web server and network logs. Identify volumetric floods, application-layer attacks, and slowloris patterns to protect your...
Multi-Platform DDoS / Volumetric Attack P1
Directory Traversal Attack Logs
Detect directory traversal and local file inclusion attacks across web platforms. Learn to identify path traversal patterns in access logs and protect sensit...
Web Application Directory Traversal / LFI P1
Lateral Movement Detection in Logs
Detect lateral movement across your network by analyzing authentication, process, and network logs. Identify PsExec, WMI, RDP, and other techniques attackers...
Windows Security Lateral Movement P1
Privilege Escalation Detection in Logs
Detect privilege escalation attacks in Windows and Linux logs. Identify unauthorized elevation from standard user to admin, token manipulation, and exploitat...
Multi-Platform Privilege Escalation P1
SQL Injection Attack Log Detection
Detect SQL injection attacks in web server access logs. Identify UNION-based, blind, and error-based injection attempts targeting your web applications with ...
Web Application SQL Injection P1
Suspicious PowerShell Execution Detection
Detect malicious PowerShell execution in Windows event logs. Identify encoded commands, download cradles, AMSI bypasses, and living-off-the-land attack techn...
Windows Security PowerShell Abuse / Living Off the Land P1
XSS Attack Log Detection
Detect Cross-Site Scripting (XSS) attacks in web server logs. Identify reflected, stored, and DOM-based XSS attempts targeting your web application users.
Web Application Cross-Site Scripting (XSS) P1
Bot Traffic Detection in Web Logs
Detect and classify bot traffic in your web server logs. Distinguish between legitimate search engine crawlers, good bots, and malicious automated traffic co...
Web Application Bot Traffic / Scraping P2
Port Scanning Detection in Logs
Detect port scanning activity in firewall and network logs. Identify reconnaissance attempts, service enumeration, and pre-attack probing targeting your infr...
Firewall / Network Reconnaissance / Port Scanning P2
Malicious User-Agent Detection in Logs
Identify malicious User-Agent strings in web server logs. Detect vulnerability scanners, bots, and attack tools by analyzing User-Agent patterns targeting yo...
Web Application Scanning / Bot Activity

Have Logs That Need Investigation?

Upload your log files and get an AI-powered security investigation report in minutes.

Try Quick Scan Free or Run Full Analysis