intermediate

Log Analysis Workflow

Systematic approach to analyzing logs during incident investigation.

1-4 hours5 steps9 checklist items

Summary

Framework for effective log analysis to support incident response and threat hunting activities.

Step-by-Step Procedure

Log Collection

Gather relevant logs for analysis.

Actions

Identify log sources relevant to the incident

Export logs covering the incident timeframe

Ensure log integrity (timestamps, no gaps)

Organize logs by source and time

Tools

SIEMLog aggregatorsNative log export

Timeline Establishment

Create initial timeline.

Actions

Normalize timestamps to single timezone (UTC)

Identify known incident markers

Mark key events in timeline

Note any time gaps or missing data

Systematic Analysis

Analyze logs systematically.

Actions

Start from known IOCs or events

Work backwards and forwards in time

Correlate across log sources

Document each finding

Pattern Identification

Look for attack patterns.

Actions

Search for known attack signatures

Identify authentication anomalies

Look for privilege escalation events

Check for lateral movement indicators

Documentation

Document analysis results.

Actions

Create detailed timeline of events

Document all IOCs discovered

Preserve relevant log excerpts

Write analysis narrative

Completion Checklist

Relevant log sources identified

Logs exported and preserved

Timestamps normalized

Known events marked in timeline

Correlation across sources completed

Attack patterns identified

IOCs extracted

Timeline documented

Analysis summary written

Evidence to Collect

Raw log exports
Normalized timeline
IOC list
Analysis notes
Event narrative

Join our community to discuss playbooks and share incident response experiences.