Log files contain valuable information for infrastructure management as most malicious exploits and intrusions leave their fingerprints all over log files and system performance issues can be identified from analyzing specific log data. In this module, the learner will evaluate log files and learn tools to extract associated valuable data for detecting cyber threats and system performance issues. This module was developed under the CyberSkills HCI Pillar 3 Project. Please refer to the consortium agreement for ownership.

• Log Files o What are log files and what data do they contain? Types of log files. What type of information regarding the wellbeing and efficiency of the system do they contain? Log data transmission and collection. What collects log data (OS, applications, etc.) Extracting diagnostic data and capabilities from log data. Linux Log files and diagnostic data (grep), Application log files, Windows log files (event viewer), MAC log files (Console), Android log files (Android Studio), firewall logs (e.g. Windows Defender Firewall with Advanced Security). Reading log files using text editors and advanced read log software. Log formats. Log Security (access, data recording, configuration, etc.) • Log File Access and Analysis o Log File Access and Analysis Log file analysis - why is it important? Log file analysis use cases. Log file analysis best practices and tools- prioritization, filtering, criticality determination, the need for context and unclear messages. How do log files specify changes that have occurred? How are incident causes extracted from log files? How to log data points out red flags in systems: unusual behaviour, unauthorized access, extreme traffic, suspicious changes, etc. How to extract useful information and how to search log data by implementing regex and grep tools. o Detect corruption of log files. • Log Management Systems o What is a log management system and how does it fit into the overall security architecture (Defense in Depth). Parameters of a complete log management system: Collection, Storage, Search, Correlation and Output. Why is log management important? Why does it make log file analysis more feasible? o Management of log file data in embedded/resource constrained devices. o Impact of flash based systems on ability to log "everything" continuously. • SIEM o What are system information and event management (SIEM) tools? How SIEM software operates to collect log and event data generated by different applications, security devices and host systems and collates it together into a single centralized platform. How SIEMs are used with YARA and Sigma rules to identify indicators of compromise to manage security for a large or diverse IT infrastructure. SIEM real-time threat analysis that provides real-time visibility across an organization's information security systems. • Investigating an Incident - Developing the correct Mindset o Analyzing how log management and analysis plays a crucial role during a security incident and identifying system performance issues. Determine normal behaviour (daily basis, by the hour, monthly, longer) and triggers. How Log files (and associated data) are leveraged for fighting cybercrime. Identify the logs where malicious exploits and intrusions have left their fingerprints. How to develop a log file analysis mindset for cybersecurity and system performance.

On successful completion of this module, students will be able to: LO1: Evaluate log files, the associated data and accessing and search mechanisms LO2: Interpret valuable data from log files for cybersecurity and system performance purposes by applying best practices and tools. LO3: Implement a log management system using security information and event management (SIEM) tools for use in infrastructure management. LO4: Analyse log files from multiple devices and applications utilising log aggregation techniques and SIEM tools to identify indicators of compromise in ill-defined contexts. LO5: Apply a log file analysis mindset for cyber security and system performance to the effective communication of incident reports.

On successful completion of this module, students will be able to: LO6: Value and accept the importance of log files and the information they contain regarding the system state.

On successful completion of this module, students will be able to:

This module will be delivered online in a blended fashion to industry-based learners and will be scheduled in the evening time by Cyberskills. The lecturing staff will be provided by the HEA HCI Pillar 3 initiative - Cyberskills. By following recent developments with OT/ICS and its log files we aim to ensure that students of this module are knowledgeable, proactive, creative and articulate in relation to Applying/Analysing and Managing log files for the OT Domain. The content of the module has been determined by aligning the module syllabus with the KSAs (Knowledge, Skills and Abilities) specified in the NIST/NICE framework for the Network Services work Role - Network Operations Specialist (OM-NET-001). The module content was discussed and designed with industry panel input from Dell and ADI.