Guide 4: Log Redaction and IOC Extraction
A beginner-friendly practical guide for learning how to clean sensitive logs and extract indicators of compromise for cybersecurity investigation.
In this guide, you will inspect fake cybersecurity logs, remove sensitive information, and extract indicators of compromise. You will learn why logs are useful during investigations, but also why they must be cleaned before they are shared.
Completion status
Overview
Learn how to review logs without exposing sensitive data
Logs record activity from systems, applications, networks, users, and security tools. They can help investigators understand what happened, when it happened, and which systems or accounts were involved. However, logs can also contain sensitive information such as emails, IP addresses, tokens, API keys, passwords, session IDs, and internal system details. Before logs are shared, they should be reviewed and redacted.
Explain what logs are and why they are useful in cybersecurity.
Identify sensitive information inside logs.
Redact emails, IP addresses, tokens, API keys, passwords, and session IDs.
Extract indicators of compromise from log text.
Distinguish between IP addresses, domains, URLs, hashes, emails, and tokens.
Understand why logs should be sanitised before sharing.
Recognise suspicious patterns in simple log examples.
Understand how extracted IOCs can support digital forensics and incident response.
Important safety note
Use only fake logs in this guide
Do not paste real company logs, university logs, private system logs, real access tokens, passwords, API keys, session cookies, or personal data into this guide. Use only the fake examples provided in this lab.
How to use this guide
Work carefully and keep the useful context
- Read each task carefully.
- Use only the fake log examples provided.
- Open the linked MuhammadLab tool when instructed.
- Copy your result or observation into the answer box.
- Think about what information should be protected.
- Save your answers locally.
- Complete the quiz.
- Mark the guide as complete when finished.
Tools used in this guide
Open the existing MuhammadLab tools as you work
Task 1
Identify sensitive values in a log
Read the fake application log and identify which values should be protected before the log is shared.
Fake application log
2026-05-12 10:15:22 INFO User login successful user_email=muhammad.student@example.com source_ip=192.168.1.25 session_id=sess_abc123xyz789 api_key=sk_test_1234567890abcdef role=student endpoint=/dashboard status=200
Tool to use
No tool required for this task.
Expected student action
Identify the email address, IP address, session ID, API key, and explain which values should be redacted before sharing.
Reflection question
Why is it unsafe to share logs that contain session IDs or API keys?
Optional hint
Session IDs and API keys may allow access to systems or accounts if exposed.
Task 2
Redact sensitive values from a log
Use an existing MuhammadLab redaction tool to clean the fake log while keeping the useful investigation context.
Redact this fake log
2026-05-12 10:15:22 INFO User login successful user_email=muhammad.student@example.com source_ip=192.168.1.25 session_id=sess_abc123xyz789 api_key=sk_test_1234567890abcdef password=FakePassword123! endpoint=/dashboard status=200
Tool to use
Expected student action
Paste the redacted output into the answer box and note which fields were hidden.
Reflection question
Which fields were redacted, and why?
Optional hint
Emails, IP addresses, session IDs, API keys, passwords, and tokens are commonly redacted before sharing logs.
Task 3
Extract basic IOCs from security text
Use the IOC Extractor to pull out different types of indicators from a fake security alert.
Fake alert text
Suspicious login detected from 203.0.113.45. User reported a phishing email from attacker@example.net. The email contained the URL http://malicious-example.com/login. Downloaded file hash: 44d88612fea8a8f36de82e1278abb02f Callback domain observed: cdn-update-example.org
Tool to use
Expected student action
Paste the extracted IOCs into the answer box and identify the IP address, email address, URL, domain, and hash.
Reflection question
How can extracted IOCs help in an investigation?
Optional hint
IOCs can help analysts search logs, block known bad infrastructure, compare alerts, and investigate related activity.
Task 4
Extract IPs, URLs, and emails from mixed text
Use automatic extraction to find IPs, URLs, and email addresses inside a short mixed investigation note.
Mixed text example
Please investigate the following activity: Login from 198.51.100.23 failed five times. User email: victim@example.com Suspicious link: https://secure-login-example.net/reset Another IP observed: 203.0.113.99 Contact address in phishing email: helpdesk-alert@example.org
Tool to use
Expected student action
Paste the extracted IPs, URLs, and emails into the answer box.
Reflection question
Why is automatic extraction useful when working with large logs?
Optional hint
Large logs may contain thousands of lines. Automatic extraction helps analysts quickly find useful patterns.
Task 5
Decode and inspect a fake JWT-like token
Use the JWT Decoder to inspect a fake token and see what information appears in the header and payload.
Fake JWT-like token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiZGVtby1zdHVkZW50IiwiZW1haWwiOiJzdHVkZW50QGV4YW1wbGUuY29tIiwicm9sZSI6InVzZXIiLCJleHAiOjE5MDAwMDAwMDB9.fake-signature
Tool to use
Expected student action
Write what information appears in the header and payload if the tool can decode it.
Reflection question
Why should tokens be redacted before sharing logs?
Optional hint
Even if a token can only be decoded and not verified, it may still reveal user, role, expiry, or system information. Real tokens may also grant access.
Task 6
Inspect a user-agent from logs
Use the User-Agent Parser to inspect a browser string and record what the tool reveals.
Fake user-agent string
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Tool to use
Expected student action
Write the browser family, operating system, device type if shown, and rendering engine if shown.
Reflection question
How can user-agent strings help in cybersecurity investigations?
Optional hint
They can help identify browser types, operating systems, automated tools, bots, or unusual access patterns. However, they can be spoofed.
Task 7
Create a simple IOC summary
Use the results from Task 3 and Task 4 to organise extracted indicators into a short IOC summary.
Fill in this IOC summary
IP addresses: Domains: URLs: Email addresses: Hashes: Notes:
Expected student action
Group the extracted indicators by type and add a short note about why the summary is useful.
Reflection question
Why is it useful to organise IOCs by type?
Optional hint
Different IOCs are used in different tools. IPs may be searched in firewall logs, domains in DNS logs, URLs in proxy logs, and hashes in endpoint or file logs.
Task 8
Prepare a safe-to-share incident note
Redact a fake incident note so that it keeps the useful investigation context without exposing sensitive values.
Fake incident note
Incident summary: Student account muhammad.student@example.com had repeated failed logins. Source IP: 203.0.113.45 Session token: sess_secret_987654321 API key: sk_live_fake_abcdef123456 Suspicious URL: http://malicious-example.com/login User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Temporary password shared by mistake: TempPass123!
Expected student action
Paste the cleaned or redacted version into the answer box and keep only the information that is still useful for safe sharing.
Reflection question
What information should remain visible after redaction, and what should be hidden?
Optional hint
A useful shared note should preserve the investigation context while removing secrets and personal or sensitive values.
Extension
Coming next: simple detection rule review
As an optional next step, you can open the Sigma Rule Viewer / Formatter or YARA Rule Viewer / Formatter to inspect a simple detection rule and see how analysts document suspicious patterns.
Mini summary
What this guide helped you practise
Common mistakes
Watch for these beginner traps
Mistake 1: Sharing raw logs without checking for secrets.
Mistake 2: Forgetting that session IDs and API keys can be sensitive.
Mistake 3: Treating all IP addresses as malicious without context.
Mistake 4: Assuming user-agent strings are always truthful.
Mistake 5: Sharing real JWTs, cookies, or Authorization headers in screenshots.
Mistake 6: Removing too much information and making the log useless for investigation.
Mistake 7: Confusing an indicator of compromise with confirmed proof of compromise.
Knowledge check
Quick quiz with immediate feedback
Answer the questions below to check your understanding of logs, IOCs, redaction, and safe sharing practices.
1. What is a log mainly used for in cybersecurity?
2. Which value should usually be redacted before sharing a log?
3. What does IOC stand for?
4. Which of the following can be an IOC?
5. Why should analysts be careful when interpreting IOCs?
6. Why should real JWTs or tokens not be shared publicly?
7. Why is redaction useful?
Privacy note
Your answers stay in this browser
This guide is designed for browser-based learning. Your answers and completion status are saved locally in your browser using localStorage. Do not enter real logs, real passwords, real API keys, real tokens, real cookies, private incident reports, university credentials, work credentials, or personal data.
Completion
Finish the lab and save your progress locally
Next
Guide 5: Steganography and Hidden Data
This next guided lab continues the path with hidden data in images and basic forensic inspection ideas.