Published on August 5th, 2019 📆 | 1703 Views ⚑0
Understanding Windows Event logs for Cyber Security Operations Center
Cyber Security operations center is protecting organizations and sensitive business data of customers. It ensures active monitoring of valuable assets of business with visibility, alerting and investigating threats and a holistic approach to managing risk.
Analytics service can be in-house or managed security service. Collecting event logs and analyzing logs with real-world attacks is the heart of the security operation center.
Events – Security operations center
Events are generated by systems which are error codes, devices generate events with success or failure to its normal function.so event logging plays an important role to detect threats. In the organization, there are multiple number and flavors of Windows, Linux, firewalls, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware etc.
These devices usually track attackers footprints as logs and forward to SIEM tools to analyze. In this article, will see how events are pushed to log collector. To know more about windows events or event ids refer Here.
It’s a centralized server to receive logs from any devices. Here I have deployed Snare Agent in Windows 10 machine. So we will collect windows event logs and Detect attacks to windows 10 machine attacks using Snare Agent.
The snare is SIEM(SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and event analyzer in various operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL events generated by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.
- For Demo purpose, I have been using no credentials but it always recommended to use strong passwords to protect logs without a leak.
Snare Web interface:-
- By default, snare will run at Port 6161.
- A random port can also be chosen with TCP or UDP or TLS/SSL Protocols.
- Snare will ask for credentials to log in. Here I have given no authentication.
- Below figure shows snare agent install success and provides additional details on screen.
Network & File Destination Configuration
- Our windows 10 is started sending event logs to Snare console.
- Snare console is running at localhost and collecting logs from a windows machine.
NOTE: Logs can be sent to a centralized server, then the centralized server push logs to SIEM (To reduce load in SIEM this method used), send snare logs directly to SIEM(If your SIEM is capable of good storage for long and short-term log retention this method can be deployed), It recommended to configure your SIEM with port details of snare and test connection should be the successor to collect logs.
- So you can change network destination IP to SIEM IP or LOG COLLECTOR IP.
- Above figure shows destination is configured with localhost to collect and store event logs in various format SNARE, SYSLOG, CEF (Common Event Format) or LEEF (Log Event Extended Format)
- By default, it will be collecting logs and saving file with snare format & logs are forwarded to SIEM.
- Web server port, authentication for console access, Web server Protocol can be easily defined according to your environment.
- Above figure shows a configuration with Web server port 6161, Snare agent port 6262 and HTTP as web server protocol for demo purpose, Its recommended installing certificate for secure connection to forward logs.
- Objective includes events with the different categories which can be windows Log on/Log off, access to file or directory, security policy change, system restart, and shutdown.
- Modify or delete specific events to assign a priority(Critical, High, Low & Information)
Audit Service Statistics
- Audit Service ensures snare is connected and sending logs to SIEM.
- It shows daily average bytes of events transmitted to SIEM.
- In case of network failures, Soc Administrator can check the status of service.
Security Certification – Security operations center
- To make connection encrypted and generate a self-signed certificate to WEB-UI, snare agent and network destination certificate validation to establish a secure way of forwarding logs to SIEM.
- If SIEM is not collecting Event logs from Snare agent for a while, then its time to troubleshoot and retrieve logs from snare server.
- Above figure shows Snare services are restarted successfully.
Events – Security operations center
- Windows 10 is forwarding event logs to your deployed SIEM or events can be viewed in snare console.
- Every time you cannot open and lookup for intrusions to your environment with snare, for this reason, we are forwarding logs to SIEM for Intelligence to detect attacks.
- SIEM will be an Intelligent to trap attackers by building an effective correlation rule.
- Above pictures with Event Ids 4625 which is failed password attempt to Windows 10 machine followed by Successful 4689 Event.
- List of Windows Event Ids Here
NOTE: Above figures shows failed attempts followed by a successful login.
Correlation rule & Incidents
- Its an engine designed to write a defensive rule to detect offensive guys, Each rule will be a unique incident.
- Example: Assume that you’re a writing a rule for brute-force attempt, Brute-force attempts will have continuous threads with a different passphrase to the server.
- As per NOTE: failed attempts followed by a successful login.
Correlation Rule : failed password attempts + Followed by successful Login = Brute-force (Incident)
Now your customer environment is ready for Known use case(Brute-force detected), you can also build or write your own use case and deploy in your SIEM to detect sophisticated cyber-attacks !!!
Also, we recommend you to take one of the leading online course for SOC Analyst – Cyber Attack Intrusion Training | From Scratch to enhance your skills to become a SOC analyst.