CISO2CISO.COM & CYBER SECURITY GROUP

Windows Event Security Log Analysis

Contents
Introduction ……………………………………………………………………………………………………………………………….. 2
Event Log Format ………………………………………………………………………………………………………………………… 3
Account Management Events ………………………………………………………………………………………………………. 4
Account Logon and Logon Events ………………………………………………………………………………………………….. 5
Access to Shared Objects …………………………………………………………………………………………………………… 11
Scheduled Task Logging ……………………………………………………………………………………………………………… 12
Object Access Auditing ………………………………………………………………………………………………………………. 13
Audit Policy Changes ………………………………………………………………………………………………………………….. 16
Auditing Windows Services …………………………………………………………………………………………………………. 17
Wireless LAN Auditing ………………………………………………………………………………………………………………… 18
Process Tracking ……………………………………………………………………………………………………………………….. 19
Additional Program Execution Logging …………………………………………………………………………………………. 21
Auditing PowerShell Use …………………………………………………………………………………………………………….. 24

Introduction
Microsoft has gradually increased the efficiency and effectiveness of its auditing facilities over the years. Modern Windows systems can log vast amounts of information with minimal system impact. With the corresponding decrease in the price of storage media, excuses to not enable and retain these critical pieces of evidence simply don’t stand up to scrutiny. Configuring adequate logging on Windows systems, and ideally aggregating those logs into a SIEM or other log aggregator, is a critical step toward ensuring that your environment is able to support an effective incident response.
This document provides an overview of some of the most important Windows logs and the events that are recorded there. As with all of our Analyst Reference documents, this PDF is intended to provide more detail than a cheat sheet while still being short enough to serve as a quick reference. The PDF also contains links to external resources for further reference.

Leave a Reply

Your email address will not be published.