Akhil
SOC status: active
Detection • Triage • Evidence

Log Analysis Workflow: Alert → Evidence → Action

A calm, evidence-driven way to respond to alerts without panic or guesswork.

akhil@triage:~
evidence
$ alert --id 1842 --summarize
Signal: suspicious login + new device
Next: correlate identity + endpoint + network

The 5 questions that matter

  • What happened? (exact event and timestamps)
  • Where? (device, user, IP, geo, host)
  • So what? (impact if true)
  • How sure are we? (confidence level)
  • What action is safe now? (containment that doesn’t break business)

Step 1: Normalize the alert into facts

  • Time window: first seen, last seen
  • Entities: user, endpoint, IP, process, URL/domain
  • Category: identity, endpoint, network, email, cloud app
  • Severity vs confidence: treat them separately

Step 2: Correlate across three sources

Identity logs

Sign-in anomalies, impossible travel, new device enrollments, MFA prompts, token refresh patterns.

Endpoint telemetry (EDR)

Process tree, command line, persistence attempts, suspicious parent processes, lateral movement signals.

Network / firewall logs

Destination reputation, unusual ports, beacon patterns, new outbound destinations, DNS anomalies.

Step 3: Build a timeline (simple but powerful)

[T0] User sign-in from IP A
[T1] MFA challenge accepted
[T2] New device registration
[T3] Endpoint spawns suspicious process
[T4] Outbound connection to unknown domain
[T5] Data access spike / file encryption indicators

A timeline turns messy logs into a decision-friendly story.

Step 4: Decide the safest containment action

  • Identity risk: force password reset, revoke sessions, require MFA reauth, block sign-in temporarily.
  • Endpoint risk: isolate host in EDR, kill process, quarantine file, collect artifacts.
  • Network risk: block domain/IP, restrict egress, tighten rules for the affected segment.

Professional principle: choose containment actions that reduce blast radius fast, but don’t destroy evidence.

Step 5: Close the loop (the part most teams skip)

  • Root cause: vulnerability, misconfig, weak control, human error.
  • Fix: patch / harden / restrict / train.
  • Verify: retest and confirm through logs.
  • Document: incident note + evidence links (ISO-ready).