By: Page Glave
June 3, 2021
Windows Log Primer
By: Page Glave
June 3, 2021
Why worry about logs?
This is an entry-level introduction to Windows event logs in the context of cybersecurity. It will focus on Windows events that an analyst might want to look for to get familiar with the environment or start doing some threat hunting. Logs also help identify anomalies in user behavior that can provide valuable information about potential breaches. Windows event logs are a critical source of information in most enterprise networks. Setting up Windows devices to log events of interest is an important step in developing cybersecurity capacity.
How to collect logs?
There are lots of options to collect logs. For Windows logs, Windows Event Forwarding can be used either standalone or to forward to other systems. These logs may be sent to centralized logging solutions or a Security Information and Event Management (SIEM) system. The collection of logs is an important step to help identify attacks on the network. Labs offer a great way to get experience working with logs without setting everything up and examining known attack indicators. After getting familiar with examining logs, a good next step is setting up a lab to get experience configuring logging.
What are some key Windows events?
Many Windows events may be of interest. These are a few Windows Security Log Event IDs that are a good place to start with some questions to think about when examining the event:
- 1100 – Logging shutdown
- Why did this happen?
- 1102 – Audit log cleared
- Was this supposed to happen?
- 4624 – Logon
- Is this user logging in on this machine appropriate?
- What about the time of day?
- What about the logon type? For instance, logon type 10 indicates a remote interactive login.
- 4625 – Login failures
- Are there a lot of failures close together? Does a successful logon follow these?
- Where are the failures originating?
- 4649 – Replay attack detected
- Why did this show up?
- 4740 – Account lockout
- Is this happening a lot?
- Does the source make sense?
- 4720/4722 – Account created/enabled
- Does the account name make sense?
- Does the user making the change make sense?
- 4725/4726 – Account disabled/deleted
- Does this fit normal behavior?
- Does the user making the change make sense?
- 4723/4724 – Password changed by user/privileged user
- Does the source make sense?
- Is there a reason a privileged user made the change?
These are just a few events that might be of interest. There are many more to monitor and alert on, but these may provide a good starting point.
Bonus – Important Windows Security Groups:
Certain Windows security groups are important to monitor. Key groups are Domain Admins (S-1-5-
Once logging is up and running, monitoring any of these events may lead to a high number of alerts if alerting is set up for each instance of the event identifier. Learning how the network normally functions will allow tuning of alerts to only trigger when something suspicious happens. For instance, a user logging in is normal, but a user logging into multiple machines within a certain time frame may not be.
Where to start?
Starting with a personal device can offer some insight into what normal looks like. It is important to check log settings to ensure the things that should be logged are getting logged. Professionally developed labs are a great resource but moving on to set up a lab environment and configure logging is also a great idea. Trying to figure out where to start with logs can be difficult. These are just a few things to help get started with Windows logs. Happy hunting!
Additional reading
