“At 7:04am on July 22nd, our bad actor successfully obtained access to the user’s workstation. At 7:06am, they attempted to install malicious programs but were unsuccessful.”
This is a dramatization of the Lessons Learned documents organizations release after a breach or attempted breach. It always says how much or how little information they have about what happened. The amount of information they have usually isn’t because the investigator is Sherlock Holmes, but rather because of Auditing and Logging options that were enabled long before the event happened. It’s difficult to page through endless lines of events, but through the use of aggregators and filters, we can narrow down the list to what we actually need.
Microsoft has really ramped up the level to which various elements of Windows can be logged over the past few generations. As a result, Windows 10 has an enormous selection of values that can be monitored and recorded. We’re briefly going to go over these options here, with more detail available via the links below.
If you’re checking logs on a large scale, remember that tuning your aggregation is just as important as pulling information in the first place. The idea is to get the best possible signal/noise ratio you can so that you aren’t storing data needlessly or missing logs that you actually require.
Auditing Windows 10 system logs
System logs are your bread and butter when it comes to figuring out what happened with applications and the OS as a whole. Accessing system logs in their basic form is extremely straightforward on nearly all generations of Windows systems.
To start with, right-click on your Start Menu and select Computer Management.
As a rule, Computer Management really does what it says on the box — it’s almost a one-stop shop (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Kurt Ellzey. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/ira-GiYbLBA/