Scribd
Upload
82 views

SIEM Better Visibility For SOC Analyst To Handle An Incident With Event ID

This document discusses how security information and event management (SIEM) tools provide better visibility for security operations center (SOC) analysts to handle incidents. It explains that over 90% of companies rely on logs rather than packets, and that logs are generated by applications, security events, and the operating system. Specific Windows event IDs are described that indicate security-relevant system events like user account creation and logins. The document argues SIEM tools collect and parse these logs to give analysts clear visibility of end-user activities and potential security issues or policy violations.

Uploaded by

Sokoine Hamad Denis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
82 views

SIEM Better Visibility For SOC Analyst To Handle An Incident With Event ID

This document discusses how security information and event management (SIEM) tools provide better visibility for security operations center (SOC) analysts to handle incidents. It explains that over 90% of companies rely on logs rather than packets, and that logs are generated by applications, security events, and the operating system. Specific Windows event IDs are described that indicate security-relevant system events like user account creation and logins. The document argues SIEM tools collect and parse these logs to give analysts clear visibility of end-user activities and potential security issues or policy violations.

Uploaded by

Sokoine Hamad Denis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Sunday, May 23, 2021

 Home
 kalitutorials
 Malware
 Ransomware
 Cryptocurrency hack
 SOC Resources
 Advertise
 GBH Team

GBHackers On Security

 Home
 Hacks
 THREATS
 PENTEST
 KALI
 SOC
 Infosec
 TECH
 TOOLS
 Courses

 SIEM

SIEM Better Visibility for SOC Analyst to


Handle an Incident with Event ID
By
BALA GANESH
-
August 3, 2020
0

We are in the complex world where attacks are increasing day by day, so today the cyber
intelligence depends on SIEM as a part of infosec (security incident and event management).
Most companies depend on logs and packets to have a better view.. above 90 % of them are
working with logs rather than packets. People, process, and technology will be a triangle for
security operations.

If you want to take in-depth SOC Training, you can take this
SOC Analyst – Cyber Attack Intrusion Training From Scratch to Advanced Level

                                     Security Triangle

From this article, you will be knowing that what are logs and how they are parsed through SIEM
for better visibility for an analyst to handle an incident.

Logs are an essential part of each device. logs are meaningful elements which can
show relevant information about end-user activities to security analyst under SOC(Security
Operation Center) and it is also part of the review for audit and compliance.

Let’s take the scenario that the Windows operating system may be your event source and Analyst


at another end. What are the activities you are performing from power on to power off will be
logged and logs will be sent to Security Operation Center. Users unusual activities will be
recorded as an incident in Security operation center.

Logs are three types which will be triggered according to your activities performed in your
system

Learn: SOC Analyst – Cyber Attack Intrusion Training | From Scratch

Types of logs in windows?


In specific with windows logs are three type system, security, and application

Application log

Each application will have their logs, which will be triggered when it contains errors or warning
will be sent to SOC for review.

Security log

Suspicious User activities for account success and failure logins will be logged and process
creation, termination for each and every file accessed by user account logged will be logged into
this category.

System log
Logs which footprinting the process of kernel boot, driver updates or failure, windows update
and more interesting things will be logged into system log category.

Since security is our concern, we will discuss security logs, look below the figure for better
understanding, In this screenshot analyst is analyzing a log for windows event sources.

As I told earlier Siem is built for visibility so, whatever security issues happening with end users
should be triggered to Security operation center.

In the above picture, an analyst has clear visibility of end user activities.In this, we can see the
event id is 4720.

When a new user account is created for domain accounts or local SAM accounts.Event logs will
be established with event id 4720 with respect to new user account creation.

There are similar evil Id’s for hackers 😀

EVENT ID 4725: User account deleted


When user account was disabled in local or domain accounts this event id will be triggered in
event sources and it will be pushed to siem server for visibility.

A user account was disabled

Subject
Security ID:  WIN- G5GS6SG\Administrator
Account Name:  Administrator
Account Domain:  WIN- G5GS6SG
Logon ID:  0x1fd23

Target Account:
Security ID:  WIN-G5GS6SG\BALA
Account Name:  BALA
Account Domain:  WIN-G5GS6SG

Event ID 4625: An account failed to log on


Suspicious guessing for username and password will be triggered with this event id as an
unknown or bad password to the analyst.

An account failed to log on.

Subject:
 Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  BALA
Account Domain:  
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
 Workstation Name: WIN-ADMIN
Source Network Address: 192.168.0.100
Source Port:  53176
Detailed Authentication Information:
 Logon Process:  NTLMSSP 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length:  0

Event ID 4726: User account deleted

When user account was deleted in local or domain accounts this event will be recorded and
forwarded to the analyst.

A user account was deleted.

Subject:
Security ID:  WIN-G6R56\Administrator
Account Name:  Administrator
Account Domain:  WIN-G6R56
Logon ID:  0x1fd23

Target Account:
Security ID:  WIN-G6R56\BALA
Account Name:  BALA
Account Domain:  WIN-G6R56

Event ID 4608: Windows is starting up


Windows startup or power on will be logged in with respect to the username and will be
triggered by the analyst.Cybersecurity analyst will know when you have logged in and logged
out timing.

Example:
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is
initialized.
Event ID 4624: Successful network login
Any successful logins within your network or outside the network will be logged, if it’s your
network admin no issues if not it might be a compromise.Should respond as soon as possible.

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: ADMIN\BALA
Account Name: BALA
Account Domain: ADMIN
Logon ID: 0x894B5E95
Logon GUID: {ghf73-h56f-5f11-29b8-hf6738hj}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: 
Source Network Address: 192.168.1.1
Source Port: 59752

Detailed Authentication Information:


Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Event ID 4625: Account locked out for failure attempts


Failed login attempts to the same account will be locked and logged as the event will be
investigated for policy violation.

An account failed to log on.

Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name: BALA
Account Domain:  
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
 Workstation Name: WIN-ADMIN
Source Network Address: 192.168.1.1
Source Port:  53176
Detailed Authentication Information:
 Logon Process:  NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length:  0

Event ID 1102: Audit logs were cleared


When security, system or application logs are cleared or deleted it will be logged for
investigation further forensics methods can be used to retrieve logs.

The audit log was cleared


Account For Which Logon Failed:
Security ID:  NULL SID
Account Name: BALA
Account Domain:
Logon ID: 0x169e9

In general SIEM tool collects logs from devices present in the Organization’s infrastructure.
Some solutions also collect NetFlow and even raw packets.

With the collected data(mainly logs, packets), the tool provides an insight into the happenings of
the network.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy