Log Sources and Telemetry
Key Takeaways
- Telemetry is useful only when it is timely, trustworthy, normalized, and tied to an asset or identity.
- Security monitoring commonly uses logs from endpoints, identity providers, network devices, cloud platforms, applications, and DNS.
- Timestamps, source, destination, user, action, result, and asset context are core fields for investigation.
- Time synchronization supports accurate correlation across systems.
- Log retention and protection help preserve evidence for incident response and compliance.
Log Sources and Telemetry
Security monitoring depends on telemetry: the events, metrics, alerts, and records that describe what happened in an environment. A single log rarely tells the whole story. Analysts combine endpoint, identity, network, cloud, and application data to understand user behavior and system activity.
Common Log Sources
| Source | Useful events | Example investigation question |
|---|---|---|
| Identity provider | Logins, MFA, token use, group changes | Was the user authenticated from an unusual source? |
| Endpoint detection | Process starts, file writes, network connections | Did a script launch a suspicious process? |
| Firewall | Allowed and denied traffic | Did the host connect to an unexpected destination? |
| DNS | Name lookups | Did the endpoint query a suspicious domain? |
| Web proxy | URL access, user agent, category | Did the user download a payload? |
| Cloud control plane | API calls, role changes, storage access | Did someone change a security group or public bucket setting? |
| Application | Authentication, transactions, errors | Was sensitive data accessed or changed? |
Fields That Matter
Useful logs answer basic questions quickly: who, what, when, where, and result. Security+ scenarios often include extra data, but the core fields remain consistent.
| Field | Why it matters |
|---|---|
| Timestamp | Establishes sequence and supports correlation |
| User or principal | Ties action to identity |
| Source IP or host | Shows where activity originated |
| Destination | Shows what was accessed |
| Action | Shows what was attempted |
| Result | Success, failure, blocked, allowed, or error |
| Process or command | Helps distinguish user action from malware behavior |
| Asset criticality | Helps prioritize response |
Realistic Telemetry Set
2026-04-29T12:01:14Z idp user=kmorgan result=success mfa=success source_ip=198.51.100.18 device=unmanaged
2026-04-29T12:04:39Z edr host=LAP-044 user=kmorgan process=powershell.exe parent=winword.exe command="-enc SQBFAFgA..." severity=high
2026-04-29T12:04:41Z dns host=LAP-044 query=cdn-update-example.net result=198.51.100.77
2026-04-29T12:04:43Z firewall src=LAP-044 dst=198.51.100.77 dst_port=443 action=allow bytes_out=88412
One event says a user logged in. The combined telemetry suggests a more serious chain: unmanaged device login, document spawning PowerShell, suspicious DNS, and outbound HTTPS traffic.
Time and Integrity
Time synchronization is critical. If endpoint logs are five minutes slow and firewall logs are accurate, the analyst may misread cause and effect. NTP or another approved time source helps preserve event order.
Logs should also be protected. Attackers often try to clear logs, stop agents, or tamper with audit settings. Centralized collection, access control, write-once storage, alerting on log source failure, and retention policies improve evidence quality.
Common Traps
- Collecting logs but not retaining them long enough for investigation.
- Logging only blocked traffic and missing allowed malicious traffic.
- Ignoring clock drift between systems.
- Treating an alert as proof without reviewing supporting telemetry.
- Collecting high-volume data without asset, user, or business context.
Which field is most important for correlating a login event with a firewall event in the correct order?
An endpoint log shows Word spawning PowerShell with an encoded command, followed by DNS and outbound HTTPS events. What does the combined telemetry suggest?
Which log sources are commonly useful during security monitoring? Select three.
Select all that apply