Overview
Your application generates logs. When something goes wrong, those logs are the story. This by-example guide teaches threat detection, incident response, and SOC skills through annotated log samples and queries — built for software engineers who want to understand what happens after an attacker gets in.
Why Software Engineers Need This
You instrument your code with metrics and traces for reliability. Security monitoring is the same discipline applied to adversarial inputs. When you understand how to read an auth log, write a detection rule, or triage an alert, you become an invaluable partner during incidents — not a bystander waiting for the security team.
This track uses the same tools you already encounter in production: structured logs, query languages (Splunk, Elastic), and scripting. No SOC experience or prior security background required.
What Is Blue Team By-Example Learning?
Blue team by-example learning is a detection-first approach where you learn through annotated log samples, SIEM queries, and response procedures rather than abstract theory. Each example shows:
- What it detects — the attack technique or anomaly the example identifies
- Why it indicates compromise — the behavioral pattern or IOC and its significance
- How to respond — triage steps, containment actions, and escalation criteria
- False positive handling — how to distinguish malicious activity from legitimate behavior
Learning Progression
| Level | Engineer Context | What You Learn |
|---|---|---|
| Beginner | "I want to read security logs and write basic queries" | Auth logs, Windows events, Apache logs, basic Splunk/Elastic queries, alert triage |
| Intermediate | "I want to detect specific attacks and respond to incidents" | AD attack detection, SIEM correlation, incident response, memory forensics |
| Advanced | "I want to build and run a detection program" | Threat hunting, detection engineering, cloud detection, SOAR, detection metrics |
Start at Beginner even if you are a senior engineer. Log reading and basic query skills are the foundation everything else builds on.
Coverage
What Is Covered
- Log analysis — Windows Event Logs, Linux syslogs, application logs, and network logs
- SIEM queries — Splunk SPL, Elastic KQL/EQL, Microsoft Sentinel KQL, and Sigma rule writing for common attack patterns
- Threat detection — detecting reconnaissance, initial access, execution, and persistence
- Incident triage — alert prioritization, IOC extraction, timeline reconstruction
- Incident response — containment, eradication, and recovery procedures
- Threat hunting — hypothesis-driven hunting, anomaly baselines, and proactive detection
- Detection engineering — writing, testing, and maintaining detection rules
What Is Not Covered
- Offensive exploitation techniques (see Red Team by Example)
- Strategic security governance (see CISO by Example)
- General IT infrastructure hardening (see IT Security by Example)
Prerequisites
- Comfort reading structured text files (logs, JSON, CSV)
- Basic understanding of HTTP, DNS, and Linux processes
- No SIEM or SOC experience required — the first examples start from raw log files
If you have debugged a production incident using logs, you already have the instincts needed to start this track.
Structure of Each Example
Every example follows a consistent five-part format:
- What This Covers — what the example detects or responds to (2-3 sentences)
- Scenario — SOC or IR analyst context with the attack technique in scope
- Annotated Log Sample or Query — raw logs, SIEM queries, or scripts with inline comments explaining each indicator and decision point
- Key Takeaway — the core defensive insight to retain (1-2 sentences)
- Why It Matters — production SOC relevance (50-100 words)
Examples by Level
Beginner (Examples 1–28)
- Example 1: Reading /var/log/auth.log
- Example 2: Reading Windows Security Event Log — Logon Events
- Example 3: Reading Windows Security Event Log — Process Creation
- Example 4: Reading /var/log/syslog
- Example 5: Reading Apache/nginx Access Logs
- Example 6: Reading Apache/nginx Error Logs
- Example 7: Identifying a Brute-Force Attack in auth.log
- Example 8: Identifying a Port Scan in Firewall Logs
- Example 9: Identifying Directory Brute-Force in Web Logs
- Example 10: Identifying SQL Injection Attempts in Web Logs
- Example 11: Identifying XSS Attempts in Web Logs
- Example 12: Recognizing Anomalous User Agent Strings
- Example 13: Basic Splunk SPL Query
- Example 14: Filtering by Time Range in Splunk
- Example 15: Splunk stats and eval — Counting Failed Logins
- Example 16: Basic Elastic KQL Query
- Example 17: Elastic EQL Sequence Query
- Example 18: Writing a Basic Sigma Rule
- Example 19: Alert Triage Workflow
- Example 20: IP Reputation Lookup
- Example 21: Extracting IOCs from a Suspicious Email
- Example 22: Checking a File Hash Against VirusTotal
- Example 23: Basic Network Traffic Analysis with tshark
- Example 24: Identifying a Reverse Shell in Network Logs
- Example 25: Detecting ICMP Tunneling
- Example 26: Reading Windows PowerShell Event Logs
- Example 27: Detecting Encoded PowerShell Commands
- Example 28: Basic Incident Ticket Creation
Intermediate (Examples 29–57)
- Example 29: Detecting Pass-the-Hash
- Example 30: Detecting Kerberoasting
- Example 31: Detecting AS-REP Roasting
- Example 32: Detecting DCSync
- Example 33: Detecting BloodHound Enumeration
- Example 34: Detecting PsExec Lateral Movement
- Example 35: Detecting WMI Lateral Movement
- Example 36: Detecting LOLBin Abuse
- Example 37: Detecting LSASS Access
- Example 38: Detecting Registry Run Key Persistence
- Example 39: Detecting Scheduled Task Persistence
- Example 40: Detecting WMI Subscription Persistence
- Example 41: Detecting Web Shell Upload
- Example 42: Detecting C2 Beaconing
- Example 43: Detecting DNS Tunneling
- Example 44: Detecting Data Exfiltration
- Example 45: Splunk Threat Hunting — Rare Process Parent-Child
- Example 46: Elastic Threat Hunting — Rare User Agents
- Example 47: Building a Detection Hypothesis
- Example 48: Sigma Rule for LSASS Access
- Example 49: Sigma Rule for Encoded PowerShell
- Example 50: Sentinel KQL — Impossible Travel
- Example 51: Sentinel KQL — New Admin Account
- Example 52: Incident Containment
- Example 53: Incident Eradication
- Example 54: Memory Forensics Triage with volatility3
- Example 55: Disk Forensics with Autopsy
- Example 56: Malware Sandbox Analysis
- Example 57: Threat Intelligence Integration
Advanced (Examples 58–85)
- Example 58: APT Detection with Multi-Stage Correlation
- Example 59: Detecting Golden Ticket Attack
- Example 60: Detecting Kerberos Delegation Abuse
- Example 61: Detecting ADCS ESC1 Abuse
- Example 62: Detecting DKOM
- Example 63: Detecting Process Hollowing
- Example 64: Detecting Fileless Malware
- Example 65: Building a Detection Pipeline
- Example 66: SOAR Playbook Design
- Example 67: Detection-as-Code Test
- Example 68: Detection Rule Lifecycle
- Example 69: Threat Hunt — Lateral Movement
- Example 70: Threat Hunt — LOLBin Abuse
- Example 71: Threat Hunt — Beaconing Detection
- Example 72: Threat Hunt — Credential Access
- Example 73: User Behavior Analytics Baseline
- Example 74: Deception Technology Alert Triage
- Example 75: Network Traffic Analysis with Zeek and RITA
- Example 76: Memory Forensics — Malware Extraction
- Example 77: Disk Forensics — Timeline Analysis
- Example 78: Cloud Detection — AWS CloudTrail Login Without MFA
- Example 79: Cloud Detection — AWS IAM Privilege Escalation
- Example 80: Kubernetes Audit Log Threat Detection
- Example 81: Incident Post-Mortem Template
- Example 82: Attack Simulation Validation
- Example 83: Purple Team Detection Mapping
- Example 84: Detection Metrics Dashboard
- Example 85: Building a Threat Intelligence Program
Last updated May 20, 2026