SlideShare uma empresa Scribd logo

Understanding the Event Log

C
chuckbt

A presentation from EnergizeIT 2007 event about why and how to use the windows event log of monitoring, auditing and automatic task execution.

Tecnologia
1 de 82
Baixar para ler offline
Understanding the Event Log for a more secured environment Dave Millier Chuck Ben-Tzur
Overview Introducing… the Event Log Why Monitor Logs Enabling Event Logging Real Time Monitoring Example: Security Log Tampering Auditing and Analysis Archiving Events Example: File Modification Investigation Event Log Limitation Vista Event Log Example: Creating Log File Using Event Triggered Tasks Resources and Questions
Introducing…Event Log Centralized log service to allow applications and the operating system to report events that have taken place. Introduced with Windows NT 4 (1993). Main Windows Logs Application (example: Database message) System (example: driver failure) Security (example: Logon attempt, file access) A Windows 2003 domain controller will also include Directory Service (example: Active Directory connection problem) File Replication (example: domain controller information updates) DNS Vista has introduced a lot of changes
Why Should We Monitor Logs We don’t NEED to… We HAVE to… Organizations are obligated by regulations to gather and audit systems activity logs. HIPPA (Health Industry) Regulatory review of system activity to ensure that a user information remains private but accessible Identify, respond and document security incidents GLBA (Financial) Dual control procedures Segregation of duties SOX (Financial) Record Retention and availability Accountability
Why Should We Monitor Logs (cont.) To comply with the regulations organizations require the following forms of log monitoring Real-time monitoring Identify attack attempts in progress and if a security breach has occurred. Audit and analysis Periodic reports and analysis for regulation compliance (due diligence). Archiving Again… regulations compliance (log retention) Forensic investigation of an incident The event log should also enable the organization to implement internal security policies.
Enabling Event Logging Each event category is controlled by audit policies: Account logon events (for domain accounts) Account management (group and account events) Directory service access Logon events (local machine events) Object access (user accessing an object such as file, folder, printer) Policy change (changes in the audit, user rights and trust policies) Privilege use (user exercising one or more of his rights) Process tracking (detailed tracking information) System events (events that affect the system security or log) Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.
Audit Policies (Member Server)
Real-Time Monitoring Successful events that grant the user high level privileges (either by spoofing identity or elevation of privileges) Events to monitor Successful high profile user account / group management events #636– Group member added or removed Successful logon events of high profile user accounts #680 – Logon attempt Successful logon events to a domain controller Operations on specific high profile resources (files, folder) #560 (Object Access), #564 (Object Deleted) Successful policy change events #612 – Audit Policy Change (logs no more…) All system events #517 – security log was cleared
Example: Event #517 (Clear Security Log) Security Log
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs (and not event save it)
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created The Event Contains the User Name
Real-Time Monitoring (cont.) Tracking and analysing event failure patterns may indicate a range of malicious attack attempts Failed logon activity (e.g. brute force attack) #675 – Pre Auth, failed with Kerberos code 24 (Bad password) #539 - logon failure due to account lockout (if systematic may be an indication of DoS) Failed account management activity (e.g. password reset events) All failed system events #517 – Audit log cleared Note: Most of the auditing policies, by default, are set to log successful events only. Local policies may be set to no auditing at all.
Real-Time Monitoring (cont.) Possible issues Flood of events (domain controller and member server event duplication, detailed tracking events) Solution: Consolidate log information for better analysis Unmonitored systems (e.g. unaudited events on a file server) Solution: Threat modeling, identifying assets in organization Unmonitored events (detailed user and process activity) Solution: Organization security program and policies False positives due to configuration problems (e.g. expired service password) Solution: Knowledge of the network, components and assets (Human Factor)
Auditing and Analysis Most regulations require a periodic review of important events (not critical or show stoppers) for two reasons: A “second chance” to reveal malicious activity originally undetected (and unaccountable for). Audit the ongoing activity to verify no major changes have taken place. The data is usually reviewed in the form of reports (detailed and summarized) Example of Events to Monitor (A short list) #529 to #535 and #539 – Logon failure (different reasons) #629 – User account Disabled #644 – User account Locked Out
Auditing and Analysis (cont.) Possible issues Finding a critical event that was not detected by the real-time monitoring processes Solution: Investigate the incident to eliminate or mitigate any results of malicious activity. Duplicated events (Domain controller and Local Server) Solution: Correlate and consolidate events using external system Lack of security policies to help and identify events to be audited (e.g. Messenger) Solution: Define security policies to determine which event types need to be audited on a regular basis. Report requirements are unclear and affect the log detail level Solution: Define auditing processes to determine what type of logs and details are required (TIP: when in doubt, use graphs…)
Archiving Events Event Archiving is done for two main reasons: Log retention compliance (e.g. SOX) Forensic investigation of a security incident (chain of evidence) In general, all system events should be logged. However, by default, not all audit policies are set to generate logs. In particular, detailed tracking of high profile objects (such as files, folders, printers, etc.) is turned off by default. A common misconception is that regular object access events provide this information.
Example: Detailed Event Tracking Detailed Event tracking can include the following events: #528 – Successful Login (The user authenticate to the system) #592 – A new process has been created (application is launched) #560 – Object Open (a file is requested) #567 – Object Access (the file is modified and saved) #564 – Object Deleted #562 – Handle Closed (the file has been closed) #593 – A Process Has Exited (the application was terminated)
Example: Detailed Event Tracking Enabling Audit Policies Object Access Logon (Local and Domain) Privilege Use Process Tracking
Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server)
Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server) The folder contains files we wish to monitor (compliance, sensitive information, etc.)
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…)
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…) Each user/group will require additional settings
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 Filter who was logged in during that time
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated Matching Modification Times
Archiving Events (cont.) Possible issues Volume of events (can reach several million events a day from a busy server) Solution: Transfer logs to long-term storage (compressed, digitally signed, etc.) Lack of security policies to help and identify events and processes to be audited (e.g. Messenger) Solution: Define security policies to determine which processes and their relevant events need to be logged on a regular basis. The event logs are just a portion of the “chain of evidence” Solution: Define auditing processes to ensure that all the required logs are being gathered and associated (e.g. a unique ID or a time stamp). For example: associate firewall logs through the Windows event logs and to the database logs.
Know Your Event Log Limits Size matters (and its never enough…) Solution: For long term logging, use an external storage system.
Know Your Event Log Limits (cont.) Log Analysis and correlation (especially when using automatic systems like SEM and SIM) often result in a large number of false positives. Solution: Knowledge of the network and assets to refine alerts, ongoing tuning Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own Solution: Vista has a partial solution. For complicated responses, leverage external solution to gather and analyze logs Not all events are logged on the domain controller. These events require a log gathering process Solution: Vista has presented a solution. Otherwise, use external log gathering system.
Know Your Event Log Limits (cont.) Security event logs monitor only the authentication and authorization mechanisms of the operating system. Solution: Most applications write (or should…) logs to the Windows event log. These logs can be used to enhance the monitoring capabilities. Custom application logs neglect to provide information regarding the log details or the severity or of the event. Solution: Educate your developers, develop an API, buy something better…
Vista Event Log More More Event Categories Sources
Vista Event Log Redesigned
Vista Event Log Redesigned XML Based
Vista Event Log Redesigned XML Based Simple to Understand
Vista Event Log Redesigned XML Based Simple to Understand.
Vista Event Log Redesigned XML Based Simple to Understand..??
Vista Event Log Redesigned XML Based Simple to Understand….
Event Log Tasks (Vista) Select an Event
Event Log Tasks (Vista) Select an Event to open the Wizard
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic)
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action e-mail settings
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Launch a process
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings A New Task is Born…
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler (new Tasks Category)
Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined.
Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined. The next example will: • Trigger on successful logon events of a specific group • Create a file with a list of users that logged on • Highlight username with “Admin” string
Event Log Tasks (Vista) Create a New Task
Event Log Tasks (Vista) Create a New Task Select the User Group
Event Log Tasks (Vista) Create a New Task Select the User Group Triggers Tab > New
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter…
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!)
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) and Keywords
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified)
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified) The Task Action will be “Select a Program”…
Event Log Tasks (Vista) This VB script search for “Admin” string in the logged user name and add a notes beside it.
Event Log Tasks (Vista) The output of three different users logging to the machine…
Event Log @ Vista New Event Viewer (interface) Over 50 new Event categories Over 2400 policies (over 1000 in W2K3) XML based Events are still written locally Critical Events can be forwarded Expanded to serve as single location for all events (using Windows Remote Manager) Events can launch system tasks
Resources TechNet – Auditing Overview (http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55- 29c089ade6381033.mspx?mfr=true) EventID.net (http://www.eventid.net/search.asp) Randy Franklin Smith’s Windows Security Log Encyclopedia (http://www.ultimatewindowssecurity.com/encyclopedia.html)
Company: Private Canadian company Toronto based Providing Security consulting and networking solutions for over 10 years Business model focused on delivering timely security information to all areas of an organization (CEO down to administrator) Dynamic, agile response to client needs Experience with customers in multiple verticals Experienced management team Consistent Approach: Provide “snapshot” security information for senior executives Provide detailed “security to-do” lists for follow-up by onsite personnel Proven & Scalable Solutions: Phased Delivery method ensures client satisfaction Successful deployments with large organizations Clients need fewer in-house qualified security professionals Minimize manual, mundane daily client tasks Leverages both Proprietary and Industry Best-of-Breed Technologies Extensible Framework: Adheres to ISO 17799 Framework, Security & Industry Best Practices The Sentry Dashboard is an enabler for any security subsystem Can be adapted to present information from non-security sources (network availability and trending, HR reporting, etc.) Engages all areas of an organization, from Senior Executives and security officers, to hands-on systems and network administrators
Questions…?

Recomendados

Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Eventlog
EventlogEventlog
EventlogShashi Kanth
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 

Recomendados

Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101Digit Oktavianto
 
Wazuh Security Platform
Wazuh Security PlatformWazuh Security Platform
Wazuh Security PlatformPituphong Yavirach
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Eventlog
EventlogEventlog
EventlogShashi Kanth
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxAmrMousa51
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdfPencilData
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
Audit policy giám sát hệ thống
Audit policy giám sát hệ thốngAudit policy giám sát hệ thống
Audit policy giám sát hệ thốnglaonap166
 

Mais conteúdo relacionado

Mais procurados

Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetJuan F. Padilla
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdfPencilData
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM SuccessAlienVault
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Florian Roth
 

Mais procurados (20)

Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
QRadar Architecture.pdf
QRadar Architecture.pdfQRadar Architecture.pdf
QRadar Architecture.pdf
 
Six Steps to SIEM Success
Six Steps to SIEM SuccessSix Steps to SIEM Success
Six Steps to SIEM Success
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 

Destaque

Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
Audit policy giám sát hệ thống
Audit policy giám sát hệ thốngAudit policy giám sát hệ thống
Audit policy giám sát hệ thốnglaonap166
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)RGKelley5
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
 
Kiến trúc Bảo mật Toàn diện
Kiến trúc Bảo mật Toàn diệnKiến trúc Bảo mật Toàn diện
Kiến trúc Bảo mật Toàn diệnSunmedia Corporation
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin
 
Best Practices for Log & Event Management
Best Practices for Log & Event ManagementBest Practices for Log & Event Management
Best Practices for Log & Event ManagementSolarWinds
 
Vi Minh Toại - Security Risk Management, tough path to success
Vi Minh Toại - Security Risk Management, tough path to successVi Minh Toại - Security Risk Management, tough path to success
Vi Minh Toại - Security Risk Management, tough path to successSecurity Bootcamp
 
Güvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaGüvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaErtugrul Akbas
 
Siem & log management
Siem & log managementSiem & log management
Siem & log managementRafel Ivgi
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themMichael Gough
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0Michael Gough
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShellkieranjacobsen
 

Destaque (20)

Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for Investigation
 
Audit policy giám sát hệ thống
Audit policy giám sát hệ thốngAudit policy giám sát hệ thống
Audit policy giám sát hệ thống
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 
SIEM 6N
SIEM 6NSIEM 6N
SIEM 6N
 
Kiến trúc Bảo mật Toàn diện
Kiến trúc Bảo mật Toàn diệnKiến trúc Bảo mật Toàn diện
Kiến trúc Bảo mật Toàn diện
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
 
Best Practices for Log & Event Management
Best Practices for Log & Event ManagementBest Practices for Log & Event Management
Best Practices for Log & Event Management
 
Vi Minh Toại - Security Risk Management, tough path to success
Vi Minh Toại - Security Risk Management, tough path to successVi Minh Toại - Security Risk Management, tough path to success
Vi Minh Toại - Security Risk Management, tough path to success
 
Güvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglamaGüvenlik, uyumluluk ve veritabani loglama
Güvenlik, uyumluluk ve veritabani loglama
 
Log forwarding at Scale
Log forwarding at ScaleLog forwarding at Scale
Log forwarding at Scale
 
Siem & log management
Siem & log managementSiem & log management
Siem & log management
 
Logging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch themLogging for Hackers - What you need to know to catch them
Logging for Hackers - What you need to know to catch them
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
ログ勉 Vol.1
ログ勉 Vol.1ログ勉 Vol.1
ログ勉 Vol.1
 
Lateral Movement with PowerShell
Lateral Movement with PowerShellLateral Movement with PowerShell
Lateral Movement with PowerShell
 

Semelhante a Understanding the Event Log

What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...Alexander Decker
 
Zentral combine power of osquery_santa
Zentral combine power of osquery_santaZentral combine power of osquery_santa
Zentral combine power of osquery_santaHenry Stamerjohann
 
Active Directory Auditing
Active Directory AuditingActive Directory Auditing
Active Directory AuditingWILLA REYES
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMAAnton Chuvakin
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...Alexander Decker
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
 
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
Log Management For e-Discovery, Database Monitoring and Other Unusual UsesLog Management For e-Discovery, Database Monitoring and Other Unusual Uses
Log Management For e-Discovery, Database Monitoring and Other Unusual UsesAnton Chuvakin
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBoni Yeamin
 
Web Proxy Log Analysis and Management 2007
Web Proxy Log Analysis and Management 2007Web Proxy Log Analysis and Management 2007
Web Proxy Log Analysis and Management 2007Anton Chuvakin
 
Presentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptxPresentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptxAbdoulayeSoulama1
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksYossi Sassi
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Critical Log Review Checklist For Security Incidents
Critical Log Review Checklist For Security IncidentsCritical Log Review Checklist For Security Incidents
Critical Log Review Checklist For Security IncidentsJoe Shenouda
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 

Semelhante a Understanding the Event Log (20)

1556 a 09
1556 a 091556 a 09
1556 a 09
 
Ch10 Conducting Audits
Ch10 Conducting AuditsCh10 Conducting Audits
Ch10 Conducting Audits
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...
 
Manage Engine Log 360
Manage Engine Log 360Manage Engine Log 360
Manage Engine Log 360
 
CH18-CompSec4e.pptx
CH18-CompSec4e.pptxCH18-CompSec4e.pptx
CH18-CompSec4e.pptx
 
Zentral combine power of osquery_santa
Zentral combine power of osquery_santaZentral combine power of osquery_santa
Zentral combine power of osquery_santa
 
Active Directory Auditing
Active Directory AuditingActive Directory Auditing
Active Directory Auditing
 
Logs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMALogs for Information Assurance and Forensics @ USMA
Logs for Information Assurance and Forensics @ USMA
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
 
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
Log Management For e-Discovery, Database Monitoring and Other Unusual UsesLog Management For e-Discovery, Database Monitoring and Other Unusual Uses
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
 
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and GrafanaBuilding Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
Building Active Directory Monitoring with Telegraf, InfluxDB, and Grafana
 
Web Proxy Log Analysis and Management 2007
Web Proxy Log Analysis and Management 2007Web Proxy Log Analysis and Management 2007
Web Proxy Log Analysis and Management 2007
 
Presentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptxPresentation AD Audit Plus ManageEngine .pptx
Presentation AD Audit Plus ManageEngine .pptx
 
Logs = Accountability
Logs = AccountabilityLogs = Accountability
Logs = Accountability
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Critical Log Review Checklist For Security Incidents
Critical Log Review Checklist For Security IncidentsCritical Log Review Checklist For Security Incidents
Critical Log Review Checklist For Security Incidents
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 

Último

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 

Understanding the Event Log

  • 1. Understanding the Event Log for a more secured environment Dave Millier Chuck Ben-Tzur
  • 2. Overview Introducing… the Event Log Why Monitor Logs Enabling Event Logging Real Time Monitoring Example: Security Log Tampering Auditing and Analysis Archiving Events Example: File Modification Investigation Event Log Limitation Vista Event Log Example: Creating Log File Using Event Triggered Tasks Resources and Questions
  • 3. Introducing…Event Log Centralized log service to allow applications and the operating system to report events that have taken place. Introduced with Windows NT 4 (1993). Main Windows Logs Application (example: Database message) System (example: driver failure) Security (example: Logon attempt, file access) A Windows 2003 domain controller will also include Directory Service (example: Active Directory connection problem) File Replication (example: domain controller information updates) DNS Vista has introduced a lot of changes
  • 4. Why Should We Monitor Logs We don’t NEED to… We HAVE to… Organizations are obligated by regulations to gather and audit systems activity logs. HIPPA (Health Industry) Regulatory review of system activity to ensure that a user information remains private but accessible Identify, respond and document security incidents GLBA (Financial) Dual control procedures Segregation of duties SOX (Financial) Record Retention and availability Accountability
  • 5. Why Should We Monitor Logs (cont.) To comply with the regulations organizations require the following forms of log monitoring Real-time monitoring Identify attack attempts in progress and if a security breach has occurred. Audit and analysis Periodic reports and analysis for regulation compliance (due diligence). Archiving Again… regulations compliance (log retention) Forensic investigation of an incident The event log should also enable the organization to implement internal security policies.
  • 6. Enabling Event Logging Each event category is controlled by audit policies: Account logon events (for domain accounts) Account management (group and account events) Directory service access Logon events (local machine events) Object access (user accessing an object such as file, folder, printer) Policy change (changes in the audit, user rights and trust policies) Privilege use (user exercising one or more of his rights) Process tracking (detailed tracking information) System events (events that affect the system security or log) Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.
  • 8. Real-Time Monitoring Successful events that grant the user high level privileges (either by spoofing identity or elevation of privileges) Events to monitor Successful high profile user account / group management events #636– Group member added or removed Successful logon events of high profile user accounts #680 – Logon attempt Successful logon events to a domain controller Operations on specific high profile resources (files, folder) #560 (Object Access), #564 (Object Deleted) Successful policy change events #612 – Audit Policy Change (logs no more…) All system events #517 – security log was cleared
  • 9. Example: Event #517 (Clear Security Log) Security Log
  • 10. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs
  • 11. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs (and not event save it)
  • 12. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created
  • 13. Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created The Event Contains the User Name
  • 14. Real-Time Monitoring (cont.) Tracking and analysing event failure patterns may indicate a range of malicious attack attempts Failed logon activity (e.g. brute force attack) #675 – Pre Auth, failed with Kerberos code 24 (Bad password) #539 - logon failure due to account lockout (if systematic may be an indication of DoS) Failed account management activity (e.g. password reset events) All failed system events #517 – Audit log cleared Note: Most of the auditing policies, by default, are set to log successful events only. Local policies may be set to no auditing at all.
  • 15. Real-Time Monitoring (cont.) Possible issues Flood of events (domain controller and member server event duplication, detailed tracking events) Solution: Consolidate log information for better analysis Unmonitored systems (e.g. unaudited events on a file server) Solution: Threat modeling, identifying assets in organization Unmonitored events (detailed user and process activity) Solution: Organization security program and policies False positives due to configuration problems (e.g. expired service password) Solution: Knowledge of the network, components and assets (Human Factor)
  • 16. Auditing and Analysis Most regulations require a periodic review of important events (not critical or show stoppers) for two reasons: A “second chance” to reveal malicious activity originally undetected (and unaccountable for). Audit the ongoing activity to verify no major changes have taken place. The data is usually reviewed in the form of reports (detailed and summarized) Example of Events to Monitor (A short list) #529 to #535 and #539 – Logon failure (different reasons) #629 – User account Disabled #644 – User account Locked Out
  • 17. Auditing and Analysis (cont.) Possible issues Finding a critical event that was not detected by the real-time monitoring processes Solution: Investigate the incident to eliminate or mitigate any results of malicious activity. Duplicated events (Domain controller and Local Server) Solution: Correlate and consolidate events using external system Lack of security policies to help and identify events to be audited (e.g. Messenger) Solution: Define security policies to determine which event types need to be audited on a regular basis. Report requirements are unclear and affect the log detail level Solution: Define auditing processes to determine what type of logs and details are required (TIP: when in doubt, use graphs…)
  • 18. Archiving Events Event Archiving is done for two main reasons: Log retention compliance (e.g. SOX) Forensic investigation of a security incident (chain of evidence) In general, all system events should be logged. However, by default, not all audit policies are set to generate logs. In particular, detailed tracking of high profile objects (such as files, folders, printers, etc.) is turned off by default. A common misconception is that regular object access events provide this information.
  • 19. Example: Detailed Event Tracking Detailed Event tracking can include the following events: #528 – Successful Login (The user authenticate to the system) #592 – A new process has been created (application is launched) #560 – Object Open (a file is requested) #567 – Object Access (the file is modified and saved) #564 – Object Deleted #562 – Handle Closed (the file has been closed) #593 – A Process Has Exited (the application was terminated)
  • 20. Example: Detailed Event Tracking Enabling Audit Policies Object Access Logon (Local and Domain) Privilege Use Process Tracking
  • 21. Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server)
  • 22. Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server) The folder contains files we wish to monitor (compliance, sensitive information, etc.)
  • 23. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself
  • 24. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced
  • 25. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab
  • 26. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
  • 27. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
  • 28. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited
  • 29. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…)
  • 30. Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…) Each user/group will require additional settings
  • 31. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40
  • 32. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39
  • 33. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 Filter who was logged in during that time
  • 34. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
  • 35. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916
  • 36. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
  • 37. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
  • 38. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39
  • 39. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed
  • 40. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated
  • 41. Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated Matching Modification Times
  • 42. Archiving Events (cont.) Possible issues Volume of events (can reach several million events a day from a busy server) Solution: Transfer logs to long-term storage (compressed, digitally signed, etc.) Lack of security policies to help and identify events and processes to be audited (e.g. Messenger) Solution: Define security policies to determine which processes and their relevant events need to be logged on a regular basis. The event logs are just a portion of the “chain of evidence” Solution: Define auditing processes to ensure that all the required logs are being gathered and associated (e.g. a unique ID or a time stamp). For example: associate firewall logs through the Windows event logs and to the database logs.
  • 43. Know Your Event Log Limits Size matters (and its never enough…) Solution: For long term logging, use an external storage system.
  • 44. Know Your Event Log Limits (cont.) Log Analysis and correlation (especially when using automatic systems like SEM and SIM) often result in a large number of false positives. Solution: Knowledge of the network and assets to refine alerts, ongoing tuning Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own Solution: Vista has a partial solution. For complicated responses, leverage external solution to gather and analyze logs Not all events are logged on the domain controller. These events require a log gathering process Solution: Vista has presented a solution. Otherwise, use external log gathering system.
  • 45. Know Your Event Log Limits (cont.) Security event logs monitor only the authentication and authorization mechanisms of the operating system. Solution: Most applications write (or should…) logs to the Windows event log. These logs can be used to enhance the monitoring capabilities. Custom application logs neglect to provide information regarding the log details or the severity or of the event. Solution: Educate your developers, develop an API, buy something better…
  • 46. Vista Event Log More More Event Categories Sources
  • 49. Vista Event Log Redesigned XML Based Simple to Understand
  • 50. Vista Event Log Redesigned XML Based Simple to Understand.
  • 51. Vista Event Log Redesigned XML Based Simple to Understand..??
  • 52. Vista Event Log Redesigned XML Based Simple to Understand….
  • 53. Event Log Tasks (Vista) Select an Event
  • 54. Event Log Tasks (Vista) Select an Event to open the Wizard
  • 55. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic)
  • 56. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
  • 57. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action e-mail settings
  • 58. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
  • 59. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Launch a process
  • 60. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings
  • 61. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings A New Task is Born…
  • 62. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler
  • 63. Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler (new Tasks Category)
  • 64. Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined.
  • 65. Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined. The next example will: • Trigger on successful logon events of a specific group • Create a file with a list of users that logged on • Highlight username with “Admin” string
  • 66. Event Log Tasks (Vista) Create a New Task
  • 67. Event Log Tasks (Vista) Create a New Task Select the User Group
  • 68. Event Log Tasks (Vista) Create a New Task Select the User Group Triggers Tab > New
  • 69. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event
  • 70. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom
  • 71. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter…
  • 72. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs
  • 73. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!)
  • 74. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) and Keywords
  • 75. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified)
  • 76. Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified) The Task Action will be “Select a Program”…
  • 77. Event Log Tasks (Vista) This VB script search for “Admin” string in the logged user name and add a notes beside it.
  • 78. Event Log Tasks (Vista) The output of three different users logging to the machine…
  • 79. Event Log @ Vista New Event Viewer (interface) Over 50 new Event categories Over 2400 policies (over 1000 in W2K3) XML based Events are still written locally Critical Events can be forwarded Expanded to serve as single location for all events (using Windows Remote Manager) Events can launch system tasks
  • 80. Resources TechNet – Auditing Overview (http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55- 29c089ade6381033.mspx?mfr=true) EventID.net (http://www.eventid.net/search.asp) Randy Franklin Smith’s Windows Security Log Encyclopedia (http://www.ultimatewindowssecurity.com/encyclopedia.html)
  • 81. Company: Private Canadian company Toronto based Providing Security consulting and networking solutions for over 10 years Business model focused on delivering timely security information to all areas of an organization (CEO down to administrator) Dynamic, agile response to client needs Experience with customers in multiple verticals Experienced management team Consistent Approach: Provide “snapshot” security information for senior executives Provide detailed “security to-do” lists for follow-up by onsite personnel Proven & Scalable Solutions: Phased Delivery method ensures client satisfaction Successful deployments with large organizations Clients need fewer in-house qualified security professionals Minimize manual, mundane daily client tasks Leverages both Proprietary and Industry Best-of-Breed Technologies Extensible Framework: Adheres to ISO 17799 Framework, Security & Industry Best Practices The Sentry Dashboard is an enabler for any security subsystem Can be adapted to present information from non-security sources (network availability and trending, HR reporting, etc.) Engages all areas of an organization, from Senior Executives and security officers, to hands-on systems and network administrators