Day 2: Log Analysis and SIEM Queries

Today's Objective

Splunk SPL and Elastic KQL queries that surface real threats in real logs. Windows Event IDs, syslog, and the correlation rules that reduce noise without missing attacks.

The Triage Process

Tier 1 analysts review every alert using a structured process: (1) Read the alert — what rule fired? (2) Pull context — what is the source IP, user, hostname? (3) Search for related events — what else was this host doing? (4) Classify — true positive, false positive, or inconclusive? (5) Escalate to Tier 2 if suspicious. The goal is making this decision in 5-10 minutes per alert. Playbooks standardize the process.

Threat Intelligence Enrichment

Raw alerts gain meaning from threat intelligence. Enrich IP addresses with VirusTotal, AbuseIPDB, Shodan, and MISP. Enrich file hashes with VirusTotal and MalwareBazaar. Enrich domains with passive DNS (Farsight DNSDB, VirusTotal). MISP (Malware Information Sharing Platform) and OpenCTI are open-source TI platforms for managing and correlating IOCs across your organization.

MITRE ATT&CK Framework

MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and sub-techniques observed in real attacks. It is organized by tactics (the 'why': Initial Access, Execution, Persistence, Privilege Escalation...) and techniques (the 'how': Spearphishing Link, PowerShell, Scheduled Task...). Mapping your detections to ATT&CK identifies coverage gaps and helps communicate threat context to management.

python

import requests

VT_API_KEY = 'your_virustotal_api_key'
ABUSE_API_KEY = 'your_abuseipdb_api_key'

def enrich_ip(ip: str) -> dict:
    results = {}
    
    # VirusTotal
    vt_url = f'https://www.virustotal.com/api/v3/ip_addresses/{ip}'
    r = requests.get(vt_url, headers={'x-apikey': VT_API_KEY})
    if r.status_code == 200:
        data = r.json()['data']['attributes']
        results['vt_malicious'] = data['last_analysis_stats']['malicious']
        results['vt_country'] = data.get('country', 'unknown')
    
    # AbuseIPDB
    abuse_url = 'https://api.abuseipdb.com/api/v2/check'
    r = requests.get(abuse_url,
        headers={'Key': ABUSE_API_KEY, 'Accept': 'application/json'},
        params={'ipAddress': ip, 'maxAgeInDays': 90})
    if r.status_code == 200:
        data = r.json()['data']
        results['abuse_score'] = data['abuseConfidenceScore']
        results['abuse_reports'] = data['totalReports']
    
    return results

# Example enrichment
result = enrich_ip('8.8.8.8')
print(result)

💡

Build an enrichment script that auto-runs against every new alert's IOCs. Manual lookup of 50 IPs per alert quickly becomes unsustainable. Automate what is repetitive so analysts focus on judgment calls.

📝 Day 2 Exercise

Build an Alert Triage Playbook

Get a free VirusTotal API key from virustotal.com
Write the enrich_ip() function from the code example above
Add a file hash lookup using the VirusTotal /files/{hash} endpoint
Test it against 5 known-malicious IPs from AbuseIPDB's public threat feed
Write a triage playbook document for SSH brute force alerts: detection steps, enrichment steps, escalation criteria

Day 2 Summary

Triage determines real attack vs. false positive in 5-10 minutes per alert
VirusTotal, AbuseIPDB, and MISP enrich IOCs with threat context
MITRE ATT&CK maps techniques to tactics for comprehensive coverage analysis
Automate IOC enrichment so analysts focus on investigation judgment
Playbooks standardize triage and ensure consistent analyst quality

Challenge

Map your Wazuh/ELK SIEM's detection rules to MITRE ATT&CK tactics and techniques using the ATT&CK Navigator. Identify 3 tactic areas with no detection coverage and write rules to fill the gaps.

← Previous

Day 1: SIEM Architecture & Log Management

Day 3: Threat Hunting

→

What's Next

The foundations from today carry directly into Day 3. In the next session the focus shifts to Incident Response Playbooks — building directly on everything covered here.

Supporting Videos & Reading

Go deeper with these external references.

YouTube

Log Analysis and SIEM Queries — Video Walkthroughs Community tutorials and walkthroughs covering the concepts in this lesson.

→

YouTube

Log Analysis and SIEM Queries Explained Deep-dive explanations and live-coding sessions from top educators.

→

Official Docs

Official Documentation Primary reference documentation for the technologies covered in this lesson.

→

GitHub

Open Source Examples Real-world codebases demonstrating the patterns taught in this lesson.

→

Day 2 Checkpoint

Before moving on, verify you can answer these without looking:

What is the core concept introduced in this lesson, and why does it matter?
What are the two or three most common mistakes practitioners make with this topic?
Can you explain the key code pattern from this lesson to a colleague in plain language?
What would break first if you skipped the safeguards or best practices described here?
How does today's topic connect to what comes in Day 3?

Live Bootcamp

Learn this in person — 2 days, 5 cities

Thu–Fri sessions in Denver, Los Angeles, New York, Chicago, and Dallas. $1,490 per seat. June–October 2026.

Reserve Your Seat →

Continue To Day 3

Day 3: Threat Hunting

→