| Regulation | Retention Requirement | Example Storage Strategy |
|---|---|---|
| PCI DSS | 1 year (logs must be available immediately for last 3 months) | Hot storage for 3 months, archive older logs in cold storage |
| HIPAA | 6 years for audit logs | Cold storage with secure encryption and access controls |
| GDPR | Only retain personal data as needed | Purge logs after business/ legal retention period |
Kiran Adhikari ErKiran
🔨
| Raw Key | Normalized Field |
|---|---|
timestamp |
@timestamp |
event |
event.action |
user |
user.name |
ip |
source.ip |
service |
host.name |
| Normalized Field | Description | Example Value |
|---|---|---|
@timestamp |
Event timestamp | 2025-08-29T22:05:12Z |
event.action |
Action taken | login_failed |
user.name |
Username performing action | admin |
source.ip |
IP address of actor | 203.0.113.45 |
host.name |
Hostname or service name | auth-service |
event.type |
Event classification | authentication |
log.source |
Original log source | web_app/nginx/windows |
| Component | Description | Example |
|---|---|---|
| Timestamp | When the event occurred | 2025-08-15 13:25:47 |
| Source | System, application, or device generating the log | WebServer01, AuthService |
| Event ID / Level | Classification of the event | ERROR, INFO, 4625 (Failed Login) |
| Message | Descriptive details about the event | "User admin failed login from 192.168.1.5" |
| Format | How the log is stored | Plain Text, JSON, CSV |
| Path | Why It’s Suspicious | Legitimate Use |
|---|---|---|
\\AppData\\Local\\Temp\\ |
Malware often drops or executes files here to avoid detection. | Stores temporary files for applications (e.g., browser cache, installer temp files). |
\\AppData\\Roaming\\ |
Used for persistence—malware can store malicious files that run when a user logs in. | Stores user-specific application data (e.g., browser profiles, email clients). |
\\Windows\\Temp\\ |
Attackers place malicious executables here, assuming admins rarely check this folder. | Stores temporary files for Windows updates and installations. |
\\ProgramData\\ |
Malware may insta |
| Executable | Legitimate Use | Attacker Abuse | Common Attack Examples |
|---|---|---|---|
| powershell.exe | System administration and automation | Execute malicious scripts, download payloads | powershell -nop -exec bypass -EncodedCommand [malicious base64] |
| pwsh.exe | PowerShell Core (cross-platform) | Same as powershell.exe | Cross-platform attacks, newer PowerShell features |
| wscript.exe | Run VBScript/JS scripts | Execute malicious scripts silently | wscript.exe //B malicious.vbs |
| cscript.exe | Command-line script execution | Run malicious |
| EventID | Description |
|---|---|
| 1 | Process creation (logs executed processes, command lines, and parent-child relationships). |
| 10 | Process access (detects when a process opens another process, e.g., LSASS credential dumping). |
| 11 | File creation (tracks files written to disk, e.g., malware drops in %Temp%). |
| 12 | Registry key/value creation/deletion (monitors persistence mechanisms like Run keys). |
| 13 | Registry value modification (logs changes to existing registry entries). |
| 16 | Sysmon service configuration change (alerts if someone modifies Sysmon rules/config). |
| 22 | DNS query (records domain lookups, e.g., beaconing to C2 servers). |
| 3 | Network connection (logs TCP/UDP connections, including source/destination IPs and ports). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $whoami |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import "fmt" | |
| // AddressBookNode represents a node in the address book BST. | |
| type AddressBookNode struct { | |
| Name string | |
| ContactInfo string | |
| Left *AddressBookNode | |
| Right *AddressBookNode |
ErKiran
/ nepal-address-detail.json
Last active
September 25, 2022 19:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "state": "प्रदेश १", | |
| "district": "सोलुखुम्बु", | |
| "localbody": "खुम्वु पासाङल्हमु गाउँपालिका", | |
| "ward": [ | |
| 1, | |
| 2, | |
| 3, | |
| 4, |
NewerOlder