We are in a complex world where attacks are increasing day by day, so today cyber intelligence depends on SIEM as a part of infosec (security incident and event management).
Most companies depend on logs and packets to have a better view.. above 90 % of them are working with logs rather than packets.
People, processes, and technology will be a triangle for security operations.
If you want to take in-depth SOC Training, you can take this
SOC Analyst – Cyber Attack Intrusion Training From Scratch to Advanced Level
From this article, you will be knowing that what are logs and how they are parsed through SIEM for better visibility for an analyst to handle an incident.
Logs are an essential part of each device. logs are meaningful elements that can show relevant information about end-user activities to security analysts under SOC(Security Operation Center) and it is also part of the review for audit and compliance.
Let’s take the scenario that the Windows operating system may be your event source and Analyst at another end.
What activities you are performing from power on to power off will be logged and logs will be sent to Security Operation Center.
Users’ unusual activities will be recorded as an incident in the Security operation center.
Logs are three types which will be triggered according to your activities performed in your system
Learn: SOC Analyst – Cyber Attack Intrusion Training | From Scratch
Types of logs in Windows?
In specific with Windows logs are three types system, security, and application
Application log
Each application will have its logs, which will be triggered when it contains errors or a warning will be sent to SOC for review.
Security log
Suspicious User activities for account success and failure logins will be logged and process creation, and termination for each and every file accessed by the user account logged will be logged into this category.
System log
Logs that footprinting the process of kernel boot, driver updates or failure, windows updates,s, and more interesting things will be logged into the system log category.
Since security is our concern, we will discuss security logs, and look at the figure for better understanding, In this screenshot, the analyst is analyzing a log for Windows event sources.
As I told earlier Siem is built for visibility so, whatever security issues happening with end users should be triggered to the Security operation center.
In the above picture, an analyst has clear visibility of end-user activities. In this, we can see the event id is 4720.
When a new user account is created for domain accounts or local SAM accounts. Event logs will be established with event id 4720 with respect to new user account creation.
There are similar evils Id’s for hackers 😀
EVENT ID 4725: User account deleted
When the user account was disabled in local or domain accounts this event id will be triggered in event sources and it will be pushed to the siem server for visibility.
A user account was disabled
Subject Security ID: WIN- G5GS6SG\Administrator Account Name: Administrator Account Domain: WIN- G5GS6SG Logon ID: 0x1fd23 Target Account: Security ID: WIN-G5GS6SG\BALA Account Name: BALA Account Domain: WIN-G5GS6SG
Event ID 4625: An account failed to log on
Suspicious guessing for username and password will be triggered with this event id as an unknown or bad password to the analyst.
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: BALA Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: WIN-ADMIN Source Network Address: 192.168.0.100 Source Port: 53176 Detailed Authentication Information: Logon Process: NTLMSSP Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
Event ID 4726: User account deleted
When a user account was deleted in local or domain accounts this event will be recorded and forwarded to the analyst.
A user account was deleted.
Subject: Security ID: WIN-G6R56\Administrator Account Name: Administrator Account Domain: WIN-G6R56 Logon ID: 0x1fd23 Target Account: Security ID: WIN-G6R56\BALA Account Name: BALA Account Domain: WIN-G6R56
Event ID 4608: Windows is starting up
Windows startup or power on will be logged in with respect to the username and will be triggered by the analyst.
Cybersecurity analysts will know when you have logged in and logged out timing.
Example: Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Event ID 4624: Successful network login
Any successful logins within your network or outside the network will be logged, if it’s your network admin no issues if not it might be a compromise. Should respond as soon as possible.
An account was successfully logged on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Impersonation Level: Impersonation New Logon: Security ID: ADMIN\BALA Account Name: BALA Account Domain: ADMIN Logon ID: 0x894B5E95 Logon GUID: {ghf73-h56f-5f11-29b8-hf6738hj} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: 192.168.1.1 Source Port: 59752 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0
Event ID 4625: Account locked out for failure attempts
Failed login attempts to the same account will be locked and logged as the event will be investigated for policy violation.
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: BALA Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: WIN-ADMIN Source Network Address: 192.168.1.1 Source Port: 53176 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
Event ID 1102: Audit logs were cleared
When security, system, or application logs are cleared or deleted they will be logged for an investigation further forensics methods can be used to retrieve logs.
The audit log was cleared Account For Which Logon Failed: Security ID: NULL SID Account Name: BALA Account Domain: Logon ID: 0x169e9
In general SIEM tool collects logs from devices present in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets.
With the collected data(mainly logs, and packets), the tool provides insight into the happenings of the network.
You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates.