Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Windows event log management

398 views

Published on

A brief presentation on Windows Event Log management to the Central Alabama ISSA chapter.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Windows event log management

  1. 1. WINDOWS EVENT LOG MANAGEMENT Collecting what matters…
  2. 2. AGENDA  What logs are we missing?  What’s important?  How can we collect those logs?  How do we manage the volume?
  3. 3. LOG COLLECTION  Access  Firewalls  IDS/IPS  Email  Authentication  Domain  Local  Web  Purpose  Detection  Performance  Incident Response
  4. 4. LOGS FROM WORKSTATIONS AND SERVERS Workstations – • Thousands of Endpoints • Segmented • Decentralized • Standard Images/Agent averse • Performance sensitive Servers – • Highly segmented • Access restrictions • Agent averse • Performance sensitive
  5. 5. WINDOWS EVENT COLLECTORS  Built-in Windows functionality  One command to run  One GPO to setup (per collector) Workstations Active Directory Event Collectors Servers Group Policy Group Policy Event Logs SIEM Filtered/Unfiltered Event Logs
  6. 6. SUBSCRIPTIONS
  7. 7. WHERE TO START?  4688 – process started/stopped - suspicious processes  Whoami  1102 – The audit log was cleared  47xx – Members added/removed from privileged groups Can you detect these?
  8. 8. RESOURCES  http://www.andrewalaniz.com/2016/10/windows-event-forwarding- collector-resources/  https://github.com/Neo23x0/sigma

×