• Posted by: Eng. Donya Bino
• January 18, 2026

Spot Suspicious Activity with Event Logs

Event logs are one of the most reliable sources of truth during a security incident.
Attackers may hide, but their actions leave traces.

Why Event Logs Matter in Security
Event logs help you:
1. Detect unauthorized access
2. Identify malware or ransomware activity
3. Trace attacker movement (lateral movement)
4. Reconstruct incidents after a breach

Logs answer:
1. Who did it
2. When it happened
3. From where
4. What changed

Most Important Log Sources to Monitor
Windows
1. Security Log
2. System Log
3. Application Log
4. PowerShell Operational Log

Linux
1. /var/log/auth.log
2. /var/log/syslog
3. /var/log/secure

Network & Cloud
1. Firewall logs
2. VPN logs
3. Cloud audit logs (AWS CloudTrail, Azure AD, Google Audit)

Common Suspicious Activities in Event Logs
1. Repeated Failed Login Attempts (Brute Force)
Windows Event ID: 4625 (Failed login)
Example (Windows Security Log):
Event ID: 4625
Account Name: admin
Logon Type: 10
Source Network Address: 203.0.113.45
Failure Reason: Unknown user name or bad password

Red flags:
1. Same IP hitting multiple accounts
2. Many failures followed by a success

2. Successful Logins Following Failures
Windows Event ID: 4624 (Successful Login)
Suspicious pattern: 4625 → 4625 → 4625 → 4624

This is what generally would show up as being indicative of:
1. Successful Guessing of Password
2. Credential Stuffing Attack

3.  Privilege Escalation 
Event ID on Windows: 4672 (Special Privileges Assigned)
Example:
Event ID: 4672
Username: temp_user
Privileges Granted: SeDebugPrivilege, SeBackupPrivilege

The main Red Flag: that an account with privileges assigned to it that are higher than those of an administrator.

4. Suspicious PowerShell Activity
Event ID for PowerShell: 4104
Example:
Script Block Text =
Invoke-Expression (New-Object Net.WebClient).DownloadString(...)

Red Flags: 
1. Encoded Commands
2. Downloading Scripts from the Internet
3. Invoke-Expression (IEX)
4. FromBase64String

5. Account Creation or Deletion
Event IDs for Windows:
4720 - An Account Created
4726 - An Account Deleted
Example:
Event ID: 4720
New Account Name: backup_admin
Created By: SYSTEM

Red Flag: After normal working hours, a new administration account was created.

6. Log Cleanup (Covering Tracks)
Event ID for Windows: 1102
Example: 
Event ID: 1102
The audit trail has been wiped out.
Severity: High severity indicator, this is a likely indication that there is a malicious act happening.

Detecting Easily
Example Rule:
If you want to detect…. 
1. More than 5 Failed Logins from One IP Address
2. In a period of 10 minutes
3. Then a Success Log In occurs.

Code Examples
PowerShell, for Detecting of Failed Password Logins. 
Get-WinEvent -FilterHashtable @{
    LogName='Security';
    Id=4625
} | Select TimeCreated, @{Name="User";Expression={$_.Properties[5].Value}}, Message

PowerShell: Detect Log Clearing
Get-WinEvent -FilterHashtable @{
    LogName='Security';
    Id=1102
}

Linux: Check Failed SSH Logins
grep "Failed password" /var/log/auth.log

Linux: Check Successful SSH Logins
grep "Accepted password" /var/log/auth.log

Python: Simple Failed Login Counter
from collections import Counter

failed_ips = []

with open("security.log", "r") as log:
    for line in log:
        if "4625" in line:
            ip = line.split("Source Network Address:")[-1].strip()
            failed_ips.append(ip)

counts = Counter(failed_ips)

for ip, count in counts.items():
    if count > 5:
        print(f"Suspicious IP detected: {ip} ({count} failures)")

Logging Analysis Tools
Log Analysis Native Applications:
1. Windows Event Viewer
2. Windows PowerShell
3. Linux (grep, awk, journalctl)

SIEM Depending on Logging Implementation:
1. Splunk
2. ELK
3. Wazuh
4. Graylog
5. Microsoft Defender

Tools to Analyze Logs in Cyber Security:
1. Windows Sysmon
2. OSSEC/Wazuh Agents
3. Logs from CrowdStrike and Microsoft Defender

Tips For Improved Detection
1. Centralise All Logs in a SIEM
2. Ensure All Systems are Using the Same Time Reference Using NTP
3. Monitor After Hours Activity
4. Alert for Recorded Activity Patterns Rather Than Individual Events
5. Protect Logs Against Deletion

Key Takeaway
Attackers can hide tools.
They can’t hide their logs forever.
If you know what to look for, event logs become one of your strongest defenses.