Authentication logs
These show logon attempts, failed logins, account lockouts, privilege use, and unusual access patterns. They are useful for spotting brute force attempts, credential abuse, lateral movement, and suspicious account activity.
Endpoint or host logs
These include process creation, service changes, scheduled tasks, registry changes, file modifications, and command execution on a system. They help identify malware execution, persistence, privilege escalation, and suspicious tooling.
Network traffic and firewall logs
These show inbound and outbound connections, allowed or blocked traffic, unusual ports, external communications, and unexpected internal traffic patterns. They are useful for identifying command-and-control activity, scanning, data exfiltration, and lateral movement.
DNS logs
These record domain lookups made by systems and users. They can help detect beaconing, connections to malicious infrastructure, domain generation algorithms, and suspicious external activity that may not stand out in other network logs.
Email security or mail logs
These show sender details, message flow, attachments, authentication results like SPF, DKIM, and DMARC, and delivery actions. They are important for detecting phishing, business email compromise, malicious attachments, and suspicious links.
