Uploaded bychuckbt
7,335 views

Understanding the Event Log

The document discusses the importance of event logging for maintaining a secure environment, highlighting its relevance for regulatory compliance and incident response. It covers aspects such as real-time monitoring, auditing, analysis, and archiving of event logs to mitigate security incidents. Furthermore, it details specific event categories and configurations to effectively track user activities and potential breaches.

Technology
In this document
Powered by AI

Introduction to the Event Log, importance of monitoring logs, and overview of logging features.

Event Log service started with Windows NT, details on Application, System, Security logs, and improvements in Vista.

Legal obligations (HIPAA, GLBA, SOX) for organizations to monitor logs for security and compliance.

Setting up audit policies for various event categories like account management and logon events.

Importance of monitoring events in real-time to detect high-profile activities and possible security breaches.

Reviewing events periodically to find malicious activity and ensuring no significant changes occurred.

Reasons for event archiving including compliance and forensic investigation necessity.

Different types of events that can be tracked, such as logins and file modifications, with examples.

Capturing event timestamps and user actions for monitoring and auditing purposes.

Challenges in event management and the importance of proper security policies and evidence chain.

Issues with log management, including the need for improved logging and the role of external systems.

Enhancements in Vista's logging system, including XML-based improvements for better readability.

How to select and automate event log tasks in Vista, including examples of practical implementations.

Resources for auditing, company background, and a summary of the presentation.

Embed presentation

Downloaded 299 times
Understanding the Event Log for a more secured environment Dave Millier Chuck Ben-Tzur
Overview Introducing… the Event Log Why Monitor Logs Enabling Event Logging Real Time Monitoring Example: Security Log Tampering Auditing and Analysis Archiving Events Example: File Modification Investigation Event Log Limitation Vista Event Log Example: Creating Log File Using Event Triggered Tasks Resources and Questions
Introducing…Event Log Centralized log service to allow applications and the operating system to report events that have taken place. Introduced with Windows NT 4 (1993). Main Windows Logs Application (example: Database message) System (example: driver failure) Security (example: Logon attempt, file access) A Windows 2003 domain controller will also include Directory Service (example: Active Directory connection problem) File Replication (example: domain controller information updates) DNS Vista has introduced a lot of changes
Why Should We Monitor Logs We don’t NEED to… We HAVE to… Organizations are obligated by regulations to gather and audit systems activity logs. HIPPA (Health Industry) Regulatory review of system activity to ensure that a user information remains private but accessible Identify, respond and document security incidents GLBA (Financial) Dual control procedures Segregation of duties SOX (Financial) Record Retention and availability Accountability
Why Should We Monitor Logs (cont.) To comply with the regulations organizations require the following forms of log monitoring Real-time monitoring Identify attack attempts in progress and if a security breach has occurred. Audit and analysis Periodic reports and analysis for regulation compliance (due diligence). Archiving Again… regulations compliance (log retention) Forensic investigation of an incident The event log should also enable the organization to implement internal security policies.
Enabling Event Logging Each event category is controlled by audit policies: Account logon events (for domain accounts) Account management (group and account events) Directory service access Logon events (local machine events) Object access (user accessing an object such as file, folder, printer) Policy change (changes in the audit, user rights and trust policies) Privilege use (user exercising one or more of his rights) Process tracking (detailed tracking information) System events (events that affect the system security or log) Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.
Audit Policies (Member Server)
Real-Time Monitoring Successful events that grant the user high level privileges (either by spoofing identity or elevation of privileges) Events to monitor Successful high profile user account / group management events #636– Group member added or removed Successful logon events of high profile user accounts #680 – Logon attempt Successful logon events to a domain controller Operations on specific high profile resources (files, folder) #560 (Object Access), #564 (Object Deleted) Successful policy change events #612 – Audit Policy Change (logs no more…) All system events #517 – security log was cleared
Example: Event #517 (Clear Security Log) Security Log
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs (and not event save it)
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created
Example: Event #517 (Clear Security Log) Security Log A User will try to erase the logs A New Event is Created The Event Contains the User Name
Real-Time Monitoring (cont.) Tracking and analysing event failure patterns may indicate a range of malicious attack attempts Failed logon activity (e.g. brute force attack) #675 – Pre Auth, failed with Kerberos code 24 (Bad password) #539 - logon failure due to account lockout (if systematic may be an indication of DoS) Failed account management activity (e.g. password reset events) All failed system events #517 – Audit log cleared Note: Most of the auditing policies, by default, are set to log successful events only. Local policies may be set to no auditing at all.
Real-Time Monitoring (cont.) Possible issues Flood of events (domain controller and member server event duplication, detailed tracking events) Solution: Consolidate log information for better analysis Unmonitored systems (e.g. unaudited events on a file server) Solution: Threat modeling, identifying assets in organization Unmonitored events (detailed user and process activity) Solution: Organization security program and policies False positives due to configuration problems (e.g. expired service password) Solution: Knowledge of the network, components and assets (Human Factor)
Auditing and Analysis Most regulations require a periodic review of important events (not critical or show stoppers) for two reasons: A “second chance” to reveal malicious activity originally undetected (and unaccountable for). Audit the ongoing activity to verify no major changes have taken place. The data is usually reviewed in the form of reports (detailed and summarized) Example of Events to Monitor (A short list) #529 to #535 and #539 – Logon failure (different reasons) #629 – User account Disabled #644 – User account Locked Out
Auditing and Analysis (cont.) Possible issues Finding a critical event that was not detected by the real-time monitoring processes Solution: Investigate the incident to eliminate or mitigate any results of malicious activity. Duplicated events (Domain controller and Local Server) Solution: Correlate and consolidate events using external system Lack of security policies to help and identify events to be audited (e.g. Messenger) Solution: Define security policies to determine which event types need to be audited on a regular basis. Report requirements are unclear and affect the log detail level Solution: Define auditing processes to determine what type of logs and details are required (TIP: when in doubt, use graphs…)
Archiving Events Event Archiving is done for two main reasons: Log retention compliance (e.g. SOX) Forensic investigation of a security incident (chain of evidence) In general, all system events should be logged. However, by default, not all audit policies are set to generate logs. In particular, detailed tracking of high profile objects (such as files, folders, printers, etc.) is turned off by default. A common misconception is that regular object access events provide this information.
Example: Detailed Event Tracking Detailed Event tracking can include the following events: #528 – Successful Login (The user authenticate to the system) #592 – A new process has been created (application is launched) #560 – Object Open (a file is requested) #567 – Object Access (the file is modified and saved) #564 – Object Deleted #562 – Handle Closed (the file has been closed) #593 – A Process Has Exited (the application was terminated)
Example: Detailed Event Tracking Enabling Audit Policies Object Access Logon (Local and Domain) Privilege Use Process Tracking
Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server)
Example: Detailed Event Tracking A Very Important Folder (e.g. sensitive document on a file server) The folder contains files we wish to monitor (compliance, sensitive information, etc.)
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…)
Example: Detailed Event Tracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…) Each user/group will require additional settings
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 Filter who was logged in during that time
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated
Example: Detailed Event Tracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated Matching Modification Times
Archiving Events (cont.) Possible issues Volume of events (can reach several million events a day from a busy server) Solution: Transfer logs to long-term storage (compressed, digitally signed, etc.) Lack of security policies to help and identify events and processes to be audited (e.g. Messenger) Solution: Define security policies to determine which processes and their relevant events need to be logged on a regular basis. The event logs are just a portion of the “chain of evidence” Solution: Define auditing processes to ensure that all the required logs are being gathered and associated (e.g. a unique ID or a time stamp). For example: associate firewall logs through the Windows event logs and to the database logs.
Know Your Event Log Limits Size matters (and its never enough…) Solution: For long term logging, use an external storage system.
Know Your Event Log Limits (cont.) Log Analysis and correlation (especially when using automatic systems like SEM and SIM) often result in a large number of false positives. Solution: Knowledge of the network and assets to refine alerts, ongoing tuning Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own Solution: Vista has a partial solution. For complicated responses, leverage external solution to gather and analyze logs Not all events are logged on the domain controller. These events require a log gathering process Solution: Vista has presented a solution. Otherwise, use external log gathering system.
Know Your Event Log Limits (cont.) Security event logs monitor only the authentication and authorization mechanisms of the operating system. Solution: Most applications write (or should…) logs to the Windows event log. These logs can be used to enhance the monitoring capabilities. Custom application logs neglect to provide information regarding the log details or the severity or of the event. Solution: Educate your developers, develop an API, buy something better…
Vista Event Log More More Event Categories Sources
Vista Event Log Redesigned
Vista Event Log Redesigned XML Based
Vista Event Log Redesigned XML Based Simple to Understand
Vista Event Log Redesigned XML Based Simple to Understand.
Vista Event Log Redesigned XML Based Simple to Understand..??
Vista Event Log Redesigned XML Based Simple to Understand….
Event Log Tasks (Vista) Select an Event
Event Log Tasks (Vista) Select an Event to open the Wizard
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic)
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action e-mail settings
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Launch a process
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings A New Task is Born…
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler
Event Log Tasks (Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler (new Tasks Category)
Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined.
Event Log Tasks (Vista) Problem: Basic Task Event Details are pre- defined. The next example will: • Trigger on successful logon events of a specific group • Create a file with a list of users that logged on • Highlight username with “Admin” string
Event Log Tasks (Vista) Create a New Task
Event Log Tasks (Vista) Create a New Task Select the User Group
Event Log Tasks (Vista) Create a New Task Select the User Group Triggers Tab > New
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter…
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!)
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) and Keywords
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified)
Event Log Tasks (Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified) The Task Action will be “Select a Program”…
Event Log Tasks (Vista) This VB script search for “Admin” string in the logged user name and add a notes beside it.
Event Log Tasks (Vista) The output of three different users logging to the machine…
Event Log @ Vista New Event Viewer (interface) Over 50 new Event categories Over 2400 policies (over 1000 in W2K3) XML based Events are still written locally Critical Events can be forwarded Expanded to serve as single location for all events (using Windows Remote Manager) Events can launch system tasks
Resources TechNet – Auditing Overview (http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55- 29c089ade6381033.mspx?mfr=true) EventID.net (http://www.eventid.net/search.asp) Randy Franklin Smith’s Windows Security Log Encyclopedia (http://www.ultimatewindowssecurity.com/encyclopedia.html)
Company: Private Canadian company Toronto based Providing Security consulting and networking solutions for over 10 years Business model focused on delivering timely security information to all areas of an organization (CEO down to administrator) Dynamic, agile response to client needs Experience with customers in multiple verticals Experienced management team Consistent Approach: Provide “snapshot” security information for senior executives Provide detailed “security to-do” lists for follow-up by onsite personnel Proven & Scalable Solutions: Phased Delivery method ensures client satisfaction Successful deployments with large organizations Clients need fewer in-house qualified security professionals Minimize manual, mundane daily client tasks Leverages both Proprietary and Industry Best-of-Breed Technologies Extensible Framework: Adheres to ISO 17799 Framework, Security & Industry Best Practices The Sentry Dashboard is an enabler for any security subsystem Can be adapted to present information from non-security sources (network availability and trending, HR reporting, etc.) Engages all areas of an organization, from Senior Executives and security officers, to hands-on systems and network administrators
Questions…?

More Related Content

PPTX
Logging, monitoring and auditing
byPiyush Jain
 
PPT
ArcSight Basics.ppt
byneoalt
 
PPTX
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
PPTX
Advanced Persistent Threats (APTs) - Information Security Management
byMayur Nanotkar
 
PPTX
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
PPTX
User and entity behavior analytics: building an effective solution
byYolanta Beresna
 
PDF
Attacker's Perspective of Active Directory
bySunny Neo
 
PPSX
HP ArcSight
byMohamed Zohair
 
Logging, monitoring and auditing
byPiyush Jain
 
ArcSight Basics.ppt
byneoalt
 
Overview of Vulnerability Scanning.pptx
byAjayKumar73315
 
Advanced Persistent Threats (APTs) - Information Security Management
byMayur Nanotkar
 
NETWORK PENETRATION TESTING
byEr Vivek Rana
 
User and entity behavior analytics: building an effective solution
byYolanta Beresna
 
Attacker's Perspective of Active Directory
bySunny Neo
 
HP ArcSight
byMohamed Zohair
 

What's hot

PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
Memory forensics.pptx
by9905234521
 
PPTX
Wazuh Security Platform
byPituphong Yavirach
 
PPTX
Identity and Access Management Introduction
byAidy Tificate
 
PPTX
Computer forensics toolkit
byMilap Oza
 
PPTX
Zero Trust Model
byYash
 
PPTX
Windows Event Analysis - Correlation for Investigation
byMahendra Pratap Singh
 
PPTX
Threat hunting - Every day is hunting season
byBen Boyd
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PDF
Network Security Fundamentals
byRahmat Suhatman
 
PDF
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
PDF
Empower Your Security Practitioners with Elastic SIEM
byElasticsearch
 
PDF
Présentation et démo ELK/SIEM/Wazuh
byclevernetsystemsgeneva
 
PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PDF
Threat Hunting
bySplunk
 
PPT
Cyber Security Layers - Defense in Depth
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PPTX
McAfee SIEM solution
byhashnees
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PPTX
Virtual Machine Forensics
byprimeteacher32
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Memory forensics.pptx
by9905234521
 
Wazuh Security Platform
byPituphong Yavirach
 
Identity and Access Management Introduction
byAidy Tificate
 
Computer forensics toolkit
byMilap Oza
 
Zero Trust Model
byYash
 
Windows Event Analysis - Correlation for Investigation
byMahendra Pratap Singh
 
Threat hunting - Every day is hunting season
byBen Boyd
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Network Security Fundamentals
byRahmat Suhatman
 
How to Hunt for Lateral Movement on Your Network
bySqrrl
 
Empower Your Security Practitioners with Elastic SIEM
byElasticsearch
 
Présentation et démo ELK/SIEM/Wazuh
byclevernetsystemsgeneva
 
Threat hunting for Beginners
bySKMohamedKasim
 
Threat Hunting
bySplunk
 
Cyber Security Layers - Defense in Depth
byMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
McAfee SIEM solution
byhashnees
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
Virtual Machine Forensics
byprimeteacher32
 

Viewers also liked

PPT
NIST 800-92 Log Management Guide in the Real World
byAnton Chuvakin
 
PPTX
Eventlog
byShashi Kanth
 
PDF
The top 10 windows logs event id's used v1.0
byMichael Gough
 
PPTX
Log Monitoring and File Integrity Monitoring
byKimberly Simon MBA
 
PPTX
Building an Empire with PowerShell
byWill Schroeder
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
byBeau Bullock
 
PDF
A Year in the Empire
byWill Schroeder
 
PPTX
Best Practices for Log & Event Management
bySolarWinds
 
PPTX
Vi Minh Toại - Security Risk Management, tough path to success
bySecurity Bootcamp
 
DOC
Audit policy giám sát hệ thống
bylaonap166
 
PPTX
Lateral Movement with PowerShell
bykieranjacobsen
 
PDF
Logging for Hackers - What you need to know to catch them
byMichael Gough
 
PPT
SIEM 6N
byIsmail Helva
 
PDF
Güvenlik, uyumluluk ve veritabani loglama
byErtugrul Akbas
 
PDF
Kiến trúc Bảo mật Toàn diện
bySunmedia Corporation
 
PDF
Log forwarding at Scale
byEduardo Silva Pereira
 
PDF
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
byPriyanka Aash
 
PDF
ログ勉 Vol.1
byKenji Kobayashi
 
PPTX
Harness: PowerShell Weaponization Made Easy (or at least easier)
byRGKelley5
 
PDF
Siem & log management
byRafel Ivgi
 
NIST 800-92 Log Management Guide in the Real World
byAnton Chuvakin
 
Eventlog
byShashi Kanth
 
The top 10 windows logs event id's used v1.0
byMichael Gough
 
Log Monitoring and File Integrity Monitoring
byKimberly Simon MBA
 
Building an Empire with PowerShell
byWill Schroeder
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
byBeau Bullock
 
A Year in the Empire
byWill Schroeder
 
Best Practices for Log & Event Management
bySolarWinds
 
Vi Minh Toại - Security Risk Management, tough path to success
bySecurity Bootcamp
 
Audit policy giám sát hệ thống
bylaonap166
 
Lateral Movement with PowerShell
bykieranjacobsen
 
Logging for Hackers - What you need to know to catch them
byMichael Gough
 
SIEM 6N
byIsmail Helva
 
Güvenlik, uyumluluk ve veritabani loglama
byErtugrul Akbas
 
Kiến trúc Bảo mật Toàn diện
bySunmedia Corporation
 
Log forwarding at Scale
byEduardo Silva Pereira
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
byPriyanka Aash
 
ログ勉 Vol.1
byKenji Kobayashi
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
byRGKelley5
 
Siem & log management
byRafel Ivgi
 

Similar to Understanding the Event Log

PPT
What Every Organization Should Log And Monitor
byAnton Chuvakin
 
PPT
Logs & The Law: What is Admissible in Court?
byloglogic
 
PPT
Ch10 Conducting Audits
byInformation Technology
 
PDF
williams-wwhf-20210617-eventlogs.pdf
byVinceVulpes
 
PPTX
CH18-CompSec4e.pptx
byMuhammadYasirKhan36
 
PPT
Logs for Information Assurance and Forensics @ USMA
byAnton Chuvakin
 
PPTX
USING AUDITING IN CYBERFORENSICS FOR CYBERSECURITY
byranapoonam1
 
PPTX
9780840024220 ppt ch10
byKristin Harrison
 
PPTX
TOTLEKELIvxcvxdfsdfsdfsdfsdfqqefewrwerwervesfdfsdfefsdsfds
bysrizvi9
 
PDF
How to Perform Network-wide Security Event Log Management
byGFI Software
 
PDF
Events Classification in Log Audit
byIJNSA Journal
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
byAnton Chuvakin
 
DOC
Audit logs for Security and Compliance
byAnton Chuvakin
 
PPT
1556 a 09
byLê Liêu
 
PDF
File000138
byDesmond Devendran
 
PDF
Wc4
bySaid Wali
 
PPTX
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
byAnton Chuvakin
 
PDF
UNIT -III SIEM aur baato kaise hai aap log.pdf
byhefagi6193
 
PPTX
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
byAnton Chuvakin
 
PDF
What basic auditing policy logs attempts to authenticate a user thro.pdf
byjeeteshmalani1
 
What Every Organization Should Log And Monitor
byAnton Chuvakin
 
Logs & The Law: What is Admissible in Court?
byloglogic
 
Ch10 Conducting Audits
byInformation Technology
 
williams-wwhf-20210617-eventlogs.pdf
byVinceVulpes
 
CH18-CompSec4e.pptx
byMuhammadYasirKhan36
 
Logs for Information Assurance and Forensics @ USMA
byAnton Chuvakin
 
USING AUDITING IN CYBERFORENSICS FOR CYBERSECURITY
byranapoonam1
 
9780840024220 ppt ch10
byKristin Harrison
 
TOTLEKELIvxcvxdfsdfsdfsdfsdfqqefewrwerwervesfdfsdfefsdsfds
bysrizvi9
 
How to Perform Network-wide Security Event Log Management
byGFI Software
 
Events Classification in Log Audit
byIJNSA Journal
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
byAnton Chuvakin
 
Audit logs for Security and Compliance
byAnton Chuvakin
 
1556 a 09
byLê Liêu
 
File000138
byDesmond Devendran
 
Wc4
bySaid Wali
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
byAnton Chuvakin
 
UNIT -III SIEM aur baato kaise hai aap log.pdf
byhefagi6193
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
byAnton Chuvakin
 
What basic auditing policy logs attempts to authenticate a user thro.pdf
byjeeteshmalani1
 

Recently uploaded

PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
MathML Core in WebKit
byIgalia
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
MathML Core in WebKit
byIgalia
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

Understanding the Event Log

  • 1.
    Understanding the Event Logfor a more secured environment Dave Millier Chuck Ben-Tzur
  • 2.
    Overview Introducing… the EventLog Why Monitor Logs Enabling Event Logging Real Time Monitoring Example: Security Log Tampering Auditing and Analysis Archiving Events Example: File Modification Investigation Event Log Limitation Vista Event Log Example: Creating Log File Using Event Triggered Tasks Resources and Questions
  • 3.
    Introducing…Event Log Centralized logservice to allow applications and the operating system to report events that have taken place. Introduced with Windows NT 4 (1993). Main Windows Logs Application (example: Database message) System (example: driver failure) Security (example: Logon attempt, file access) A Windows 2003 domain controller will also include Directory Service (example: Active Directory connection problem) File Replication (example: domain controller information updates) DNS Vista has introduced a lot of changes
  • 4.
    Why Should WeMonitor Logs We don’t NEED to… We HAVE to… Organizations are obligated by regulations to gather and audit systems activity logs. HIPPA (Health Industry) Regulatory review of system activity to ensure that a user information remains private but accessible Identify, respond and document security incidents GLBA (Financial) Dual control procedures Segregation of duties SOX (Financial) Record Retention and availability Accountability
  • 5.
    Why Should WeMonitor Logs (cont.) To comply with the regulations organizations require the following forms of log monitoring Real-time monitoring Identify attack attempts in progress and if a security breach has occurred. Audit and analysis Periodic reports and analysis for regulation compliance (due diligence). Archiving Again… regulations compliance (log retention) Forensic investigation of an incident The event log should also enable the organization to implement internal security policies.
  • 6.
    Enabling Event Logging Eachevent category is controlled by audit policies: Account logon events (for domain accounts) Account management (group and account events) Directory service access Logon events (local machine events) Object access (user accessing an object such as file, folder, printer) Policy change (changes in the audit, user rights and trust policies) Privilege use (user exercising one or more of his rights) Process tracking (detailed tracking information) System events (events that affect the system security or log) Each policy can be set to audit success events only, failure events only, success/failure events, or no auditing at all.
  • 7.
  • 8.
    Real-Time Monitoring Successful eventsthat grant the user high level privileges (either by spoofing identity or elevation of privileges) Events to monitor Successful high profile user account / group management events #636– Group member added or removed Successful logon events of high profile user accounts #680 – Logon attempt Successful logon events to a domain controller Operations on specific high profile resources (files, folder) #560 (Object Access), #564 (Object Deleted) Successful policy change events #612 – Audit Policy Change (logs no more…) All system events #517 – security log was cleared
  • 9.
    Example: Event #517(Clear Security Log) Security Log
  • 10.
    Example: Event #517(Clear Security Log) Security Log A User will try to erase the logs
  • 11.
    Example: Event #517(Clear Security Log) Security Log A User will try to erase the logs (and not event save it)
  • 12.
    Example: Event #517(Clear Security Log) Security Log A User will try to erase the logs A New Event is Created
  • 13.
    Example: Event #517(Clear Security Log) Security Log A User will try to erase the logs A New Event is Created The Event Contains the User Name
  • 14.
    Real-Time Monitoring (cont.) Trackingand analysing event failure patterns may indicate a range of malicious attack attempts Failed logon activity (e.g. brute force attack) #675 – Pre Auth, failed with Kerberos code 24 (Bad password) #539 - logon failure due to account lockout (if systematic may be an indication of DoS) Failed account management activity (e.g. password reset events) All failed system events #517 – Audit log cleared Note: Most of the auditing policies, by default, are set to log successful events only. Local policies may be set to no auditing at all.
  • 15.
    Real-Time Monitoring (cont.) Possibleissues Flood of events (domain controller and member server event duplication, detailed tracking events) Solution: Consolidate log information for better analysis Unmonitored systems (e.g. unaudited events on a file server) Solution: Threat modeling, identifying assets in organization Unmonitored events (detailed user and process activity) Solution: Organization security program and policies False positives due to configuration problems (e.g. expired service password) Solution: Knowledge of the network, components and assets (Human Factor)
  • 16.
    Auditing and Analysis Mostregulations require a periodic review of important events (not critical or show stoppers) for two reasons: A “second chance” to reveal malicious activity originally undetected (and unaccountable for). Audit the ongoing activity to verify no major changes have taken place. The data is usually reviewed in the form of reports (detailed and summarized) Example of Events to Monitor (A short list) #529 to #535 and #539 – Logon failure (different reasons) #629 – User account Disabled #644 – User account Locked Out
  • 17.
    Auditing and Analysis(cont.) Possible issues Finding a critical event that was not detected by the real-time monitoring processes Solution: Investigate the incident to eliminate or mitigate any results of malicious activity. Duplicated events (Domain controller and Local Server) Solution: Correlate and consolidate events using external system Lack of security policies to help and identify events to be audited (e.g. Messenger) Solution: Define security policies to determine which event types need to be audited on a regular basis. Report requirements are unclear and affect the log detail level Solution: Define auditing processes to determine what type of logs and details are required (TIP: when in doubt, use graphs…)
  • 18.
    Archiving Events Event Archivingis done for two main reasons: Log retention compliance (e.g. SOX) Forensic investigation of a security incident (chain of evidence) In general, all system events should be logged. However, by default, not all audit policies are set to generate logs. In particular, detailed tracking of high profile objects (such as files, folders, printers, etc.) is turned off by default. A common misconception is that regular object access events provide this information.
  • 19.
    Example: Detailed EventTracking Detailed Event tracking can include the following events: #528 – Successful Login (The user authenticate to the system) #592 – A new process has been created (application is launched) #560 – Object Open (a file is requested) #567 – Object Access (the file is modified and saved) #564 – Object Deleted #562 – Handle Closed (the file has been closed) #593 – A Process Has Exited (the application was terminated)
  • 20.
    Example: Detailed EventTracking Enabling Audit Policies Object Access Logon (Local and Domain) Privilege Use Process Tracking
  • 21.
    Example: Detailed EventTracking A Very Important Folder (e.g. sensitive document on a file server)
  • 22.
    Example: Detailed EventTracking A Very Important Folder (e.g. sensitive document on a file server) The folder contains files we wish to monitor (compliance, sensitive information, etc.)
  • 23.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself
  • 24.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced
  • 25.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab
  • 26.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
  • 27.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add
  • 28.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited
  • 29.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…)
  • 30.
    Example: Detailed EventTracking Detailed Tracking is configured on the resource itself Security > Advanced > Auditing Tab > Add Select the Account or Group to be audited Select the events to audit (Read, Write, Delete…) Each user/group will require additional settings
  • 31.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40
  • 32.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39
  • 33.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 Filter who was logged in during that time
  • 34.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
  • 35.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916
  • 36.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
  • 37.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644
  • 38.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39
  • 39.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed
  • 40.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated
  • 41.
    Example: Detailed EventTracking Timestamp: 13-06-07 04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at 05:27:39 File (644) closed Excel Process (2916) Terminated Matching Modification Times
  • 42.
    Archiving Events (cont.) Possibleissues Volume of events (can reach several million events a day from a busy server) Solution: Transfer logs to long-term storage (compressed, digitally signed, etc.) Lack of security policies to help and identify events and processes to be audited (e.g. Messenger) Solution: Define security policies to determine which processes and their relevant events need to be logged on a regular basis. The event logs are just a portion of the “chain of evidence” Solution: Define auditing processes to ensure that all the required logs are being gathered and associated (e.g. a unique ID or a time stamp). For example: associate firewall logs through the Windows event logs and to the database logs.
  • 43.
    Know Your EventLog Limits Size matters (and its never enough…) Solution: For long term logging, use an external storage system.
  • 44.
    Know Your EventLog Limits (cont.) Log Analysis and correlation (especially when using automatic systems like SEM and SIM) often result in a large number of false positives. Solution: Knowledge of the network and assets to refine alerts, ongoing tuning Logs are a “detective” measure and are not an IPS (Intrusion prevention system) on their own Solution: Vista has a partial solution. For complicated responses, leverage external solution to gather and analyze logs Not all events are logged on the domain controller. These events require a log gathering process Solution: Vista has presented a solution. Otherwise, use external log gathering system.
  • 45.
    Know Your EventLog Limits (cont.) Security event logs monitor only the authentication and authorization mechanisms of the operating system. Solution: Most applications write (or should…) logs to the Windows event log. These logs can be used to enhance the monitoring capabilities. Custom application logs neglect to provide information regarding the log details or the severity or of the event. Solution: Educate your developers, develop an API, buy something better…
  • 46.
    Vista Event Log More More Event Categories Sources
  • 47.
  • 48.
  • 49.
    Vista Event Log Redesigned XMLBased Simple to Understand
  • 50.
    Vista Event Log Redesigned XMLBased Simple to Understand.
  • 51.
    Vista Event Log Redesigned XMLBased Simple to Understand..??
  • 52.
    Vista Event Log Redesigned XMLBased Simple to Understand….
  • 53.
    Event Log Tasks(Vista) Select an Event
  • 54.
    Event Log Tasks(Vista) Select an Event to open the Wizard
  • 55.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic)
  • 56.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
  • 57.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action e-mail settings
  • 58.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action
  • 59.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Launch a process
  • 60.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings
  • 61.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings A New Task is Born…
  • 62.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler
  • 63.
    Event Log Tasks(Vista) Select an Event to open the Wizard The type of Event is pre-selected (basic) Select Action Finalize Settings Task Created Task is Visible in the Task Scheduler (new Tasks Category)
  • 64.
    Event Log Tasks(Vista) Problem: Basic Task Event Details are pre- defined.
  • 65.
    Event Log Tasks(Vista) Problem: Basic Task Event Details are pre- defined. The next example will: • Trigger on successful logon events of a specific group • Create a file with a list of users that logged on • Highlight username with “Admin” string
  • 66.
    Event Log Tasks(Vista) Create a New Task
  • 67.
    Event Log Tasks(Vista) Create a New Task Select the User Group
  • 68.
    Event Log Tasks(Vista) Create a New Task Select the User Group Triggers Tab > New
  • 69.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event
  • 70.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom
  • 71.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter…
  • 72.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs
  • 73.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!)
  • 74.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) and Keywords
  • 75.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified)
  • 76.
    Event Log Tasks(Vista) Create a New Task Select the User Group Trigger Task On an Event Switch from Basic to Custom and Create New Filter… Select Event Logs (Multiple Logs!) Select Events ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be modified) The Task Action will be “Select a Program”…
  • 77.
    Event Log Tasks(Vista) This VB script search for “Admin” string in the logged user name and add a notes beside it.
  • 78.
    Event Log Tasks(Vista) The output of three different users logging to the machine…
  • 79.
    Event Log @Vista New Event Viewer (interface) Over 50 new Event categories Over 2400 policies (over 1000 in W2K3) XML based Events are still written locally Critical Events can be forwarded Expanded to serve as single location for all events (using Windows Remote Manager) Events can launch system tasks
  • 80.
    Resources TechNet – AuditingOverview (http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55- 29c089ade6381033.mspx?mfr=true) EventID.net (http://www.eventid.net/search.asp) Randy Franklin Smith’s Windows Security Log Encyclopedia (http://www.ultimatewindowssecurity.com/encyclopedia.html)
  • 81.
    Company: Private Canadian company Toronto based Providing Security consulting and networking solutions for over 10 years Business model focused on delivering timely security information to all areas of an organization (CEO down to administrator) Dynamic, agile response to client needs Experience with customers in multiple verticals Experienced management team Consistent Approach: Provide “snapshot” security information for senior executives Provide detailed “security to-do” lists for follow-up by onsite personnel Proven & Scalable Solutions: Phased Delivery method ensures client satisfaction Successful deployments with large organizations Clients need fewer in-house qualified security professionals Minimize manual, mundane daily client tasks Leverages both Proprietary and Industry Best-of-Breed Technologies Extensible Framework: Adheres to ISO 17799 Framework, Security & Industry Best Practices The Sentry Dashboard is an enabler for any security subsystem Can be adapted to present information from non-security sources (network availability and trending, HR reporting, etc.) Engages all areas of an organization, from Senior Executives and security officers, to hands-on systems and network administrators
  • 82.