tag:blogger.com,1999:blog-9518042.post112471760498387626..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Event Log Analysis and ReportingUnknownnoreply@blogger.comBlogger1125tag:blogger.com,1999:blog-9518042.post-1124759961635694692005-08-22T20:19:00.000-05:002005-08-22T20:19:00.000-05:00It really depends on what the mission of the day i...It really depends on what the mission of the day is.<BR/><BR/>On one job, I wrote a batch script to live on primary domain controllers (or the equivalent PDC emulator in an AD) and hunt for password lockout events. This served a dual purpose: anyone watching the logs (I had it going to a web page that auto-refreshed) would see an attack happen pretty quickly, and respond. Since the computername was logged as well, we could send someone out to investigate usually within minutes of the attempt.<BR/><BR/>Additionally it helped people who had legitimately locked themselves out to track down where the problem was (most innocent lockouts are the result of two computers logged in during a password change). So that little log parser got lots of bang for the buck.<BR/><BR/>Other times, a confidential file has gotten loose and (if object access auditing was turned on) we can track everyone who has accessed it within x number of days.<BR/><BR/>A third example I can think of ... all the database servers were running seti@home but the dba strenuously disavowed having installed these potential backdoors. A quick sort through 'process tracking' entries proved him to be lying.<BR/><BR/>As for correllation. This is a big one, really. Process tracking makes it easy enough to see processes start but not when they end. Y'know that 'ip conversation' function that Ethereal has? Where you pick a packet and it sorts out all other packets either to or from the same host that are part of that conversation? I envision the Event Log having similar functionality, and I drool. TO be able to just go to a machine and say 'show me all security log entries for user jdoe' ... then selective filter /out/ more and more noise, would be just awesome.<BR/><BR/>(Event Viewer currently only has an 'include' filter mechanism; no way to define excludes).<BR/><BR/>I think at least 60% of event log usage is going to be reactive not proactive ... a particular thing has already happened and we turn to the logs to peice out the what-why-when-who-where of it. But with a bit more thinking I bet I could come up with more proactive uses which would trigger alerts *as* something is happening.Anonymousnoreply@blogger.com