Log Analysis
The examination of system, application, and network logs to detect anomalies, reconstruct events, and identify indicators of compromise.
Definition
Log analysis is the process of reviewing machine-generated records from operating systems, applications, firewalls, authentication systems, and network devices to identify security-relevant events. Logs are a primary data source in both proactive threat detection and reactive incident investigation.
Why It Matters
Logs are often the only persistent record of attacker activity on a system. They reveal authentication attempts, process executions, network connections, configuration changes, and data access patterns. Effective log analysis is the difference between detecting an intrusion in hours versus weeks — or not at all.
How It Works
Raw logs are collected and centralized, typically in a SIEM. Analysts apply parsing rules to normalize formats, then use queries, correlation rules, and anomaly detection to surface suspicious patterns. Findings are cross-referenced with threat intelligence and mapped to known attack techniques. Volume and noise are key challenges — automation is essential at scale.
DFIR Platform
AI Triage
The AI Triage endpoint accepts raw log data and returns severity assessments, MITRE ATT&CK technique mapping, and recommended investigation steps — reducing manual triage time during high-volume incidents. https://platform.dfir-lab.ch/docs/ai/analysis
View DocumentationRelated Concepts
Try these concepts in practice
Free tier with 100 credits/month. No credit card needed.