You can’t detect blind. Know which logs matter — authentication, process, network, and cloud — enable the right verbosity, and get them reliably into the SIEM.
Why: different attacks show up in different logs, so a detection program needs coverage across the key sources — authentication, process execution, network, and cloud/control-plane — because an attacker crosses all of them. When: prioritize sources by how much attacker activity they reveal (endpoint process + auth logs are highest value). Where: mapping sources to attacker behavior is what makes coverage deliberate instead of accidental.
SOURCE REVEALS
Authentication logins, failures, brute force, new-device access
Process execution what ran, by whom, with what command line (high value)
Network / DNS / proxy C2 beacons, exfiltration, suspicious destinations
Cloud control plane IAM changes, new resources, disabled logging
Application / web injection attempts, abuse, access-control violations
Endpoint process + auth logs give the most detection value per byte.Why: default logging is often too sparse to detect attacks — you must turn on the audit categories that capture attacker behavior (command lines, authentication detail, PowerShell script blocks) — without drowning in noise. When: enable high-value auditing (Linux auditd, Windows process-creation with command line, Sysmon) as part of standard hardening. Where: this overlaps directly with the System Hardening course’s logging step.
# Linux: audit sensitive activity with auditd (example rules):
auditctl -w /etc/passwd -p wa -k identity # watch changes to accounts
auditctl -a always,exit -F arch=b64 -S execve -k exec # log every command run
# Windows: enable process-creation logging WITH command line, and deploy
# Sysmon for rich process/network/registry telemetry.
# Goal: capture WHAT ran and the FULL command line — the core of detection.Why: logs are useless if they never reach the SIEM or arrive with gaps, so collection needs reliable agents/forwarders and monitoring of the pipeline itself. When: forward via agents (Filebeat, Fluent Bit, Wazuh, Splunk UF) and alert when a source goes silent. Where: a source that stops logging is both a reliability problem and a possible attacker action (disabling logging is a known technique).
# Forward system + auth logs to the SIEM (Filebeat example):
# filebeat.inputs:
# - type: filestream
# paths: [/var/log/auth.log, /var/log/audit/audit.log]
# output.elasticsearch: { hosts: ["siem:9200"] }
# Then monitor the pipeline itself:
# alert if a known source stops sending for > N minutes
# ("log source silent" is often the FIRST sign of compromise)