3.2.2. Searching and Correlating Logs for Events

First Principle: A single log source tells you part of the story; correlated logs across sources tell you the complete story. Effective investigation requires combining identity logs (CloudTrail), network logs (Flow Logs), DNS logs (Resolver), and application logs to reconstruct the full attack timeline.

Investigation Workflow:

1. Start with the initial finding — What triggered the alert? (GuardDuty finding, Security Hub alert, CloudWatch alarm)
2. Pivot on identity — Who is the actor? (IAM user, role, access key, IP address)
3. Expand temporally — What else did this actor do before and after the detected event?
4. Expand across services — Did the actor access S3? Create IAM resources? Launch instances?
5. Correlate network data — What network connections correspond to the API activity?
6. Build the timeline — Arrange all events chronologically to reconstruct the attack narrative

Query Examples by Log Source:

⚠️ Exam Trap: CloudTrail records WHO made API calls. VPC Flow Logs record WHAT network traffic occurred. They answer different questions. A question asking "what data did the attacker exfiltrate from S3" requires CloudTrail data events (not Flow Logs).

Scenario: A compromised access key was used from an unusual IP. You query CloudTrail filtered by the key ID and discover the attacker: listed S3 buckets, downloaded objects from a PII bucket, created a new IAM user, and attached AdministratorAccess. You correlate with VPC Flow Logs to confirm data transfer volume.

Reflection Question: Why does effective log correlation require starting with a pivot point (identity, IP, or resource) rather than searching all logs simultaneously?