Event IDs and Audit Trails (Windows, Linux, macOS)

Security analysts are often the first to notice unusual activity on endpoints. Host-level telemetry reveals what actually happened on a machine: process creation, user actions, persistence mechanisms, and privilege use.

In interviews, you are being tested on your ability to:

Recognize suspicious process or login behavior.
Interpret system audit events in context.
Prioritize relevant data quickly.
Tie system artifacts to potential attack techniques.

You don’t need to memorize every event ID, but you should know where to look and what patterns matter.

Windows logs

Windows events are the most common telemetry in SOC environments, and they often appear in interviews. Each event provides clues about user activity, system changes, and potential compromise.

Event ID	Category	What it means / Why it matters
4624	Logon success	Useful for identifying interactive logins and sessions
4625	Logon failure	Common for brute-force or password-guessing detection
4672	Special privileges assigned	Indicates admin or system-level access
4688	Process creation	Helps identify script or malware execution
4697	Service installation	Possible persistence method
7045	New service created	Frequently abused for persistence
1102	Audit log cleared	May indicate anti-forensic activity

If given a snippet, highlight relevant fields such as user, time, source IP, and process, and explain how these relate to potential attacker techniques.

Linux logs

Linux telemetry comes from sources like /var/log/auth.log, syslog, and auditd. Key logs help detect brute-force attempts, privilege escalation, or suspicious commands.

Log source / Artifact	key Indicator	Why it matters
auth.log	Failed or root logins	Identifies brute-force or privilege escalation attempts
bash_history	Suspicious commands	Reveals attacker behavior directly
cron jobs	Unexpected entries	May signal persistence
auditd events	System call traces	Track file and process access at kernel level
/etc/passwd or sudoers changes	Privilege modification	Sign of account manipulation

Focus on pattern recognition and command context, not memorizing file paths or exact log formats.

MacOS logs

While less common in enterprise SOC interviews, macOS logs appear more frequently in cloud-first or mixed environments. Understanding macOS telemetry shows versatility.

Log source	Indicator	Why it matters
Unified logs (log show)	Process and system events	Reveal app and network activity
LaunchAgents / LaunchDaemons	Persistence mechanisms	Similar to Windows services or cron jobs
TCC (Transparency, Consent, Control)	Permission changes	Useful for detecting privacy bypasses
System extensions	Kernel-level changes	May indicate advanced persistence or malware

Interviewers typically want to know whether you can recognize equivalent behaviors across operating systems. For example, a malicious script autorun in Windows versus a LaunchAgent in macOS.

Cross-platform reasoning

High-performing candidates demonstrate conceptual mapping rather than rote recall. For example:

Behavior	Windows example	Linux / macOS equivalent
Persistence	Service install (7045)	Cron job, LaunchAgent
Privilege escalation	Event 4672	sudo abuse, UID change
Account creation	Event 4720	useradd, Directory Service log
Log clearing	Event 1102	echo > /var/log/auth.log or log rotation misuse

Connect your reasoning across systems. Showing awareness that a persistence technique in Windows has an analogous Linux or macOS method demonstrates depth and adaptability.

Interviewers value candidates who discuss signal quality and alert enrichment:

Mention how Sysmon or auditd improves visibility.
Note challenges like log retention, noise, or missing context.
Explain when you’d enrich host data with network or identity telemetry.

This shows a practical understanding of investigation constraints.

Overview

SIEM & Telemetry

Networking and OS Fundamentals for Triage

Designing Threat Detection

Endpoint, Cloud, and Identity Telemetry

Scripting and Automation for Investigations

(Optional) Digital Forensics Essentials

Mock Interviews