4. LOGS FROM WORKSTATIONS AND
SERVERS
Workstations –
• Thousands of Endpoints
• Segmented
• Decentralized
• Standard Images/Agent averse
• Performance sensitive
Servers –
• Highly segmented
• Access restrictions
• Agent averse
• Performance sensitive
5. WINDOWS EVENT COLLECTORS
Built-in Windows functionality
One command to run
One GPO to setup (per collector)
Workstations
Active Directory
Event Collectors
Servers
Group Policy
Group Policy
Event Logs
SIEM
Filtered/Unfiltered
Event Logs
7. WHERE TO START?
4688 – process started/stopped - suspicious processes
Whoami
1102 – The audit log was cleared
47xx – Members added/removed from privileged groups
Can you detect these?