Getting the Most Out of Windows Event Logs
From BruCON 2017
A typical mistake repeatedly made by many security teams is that they collect such large amount of events that at the end their Security Information and Event Management (SIEM) solution chokes on the data fed into it, rendering it slow and ineffective. "Collect all the events!!!" sounds nice in theory, but in practice, less is often more and we must select and focus on events that provide real value from a security perspective and have an actual use-case behind them. But what if we do not even have a SIEM and cannot afford one or do not have the staff or the skill to deploy and maintain one? Luckily, in a Microsoft Windows environment we have built-in and free tools at our disposal to get quickly started with security monitoring and hunting using Windows Event Logs.
In this workshop, we will go through some of the most important and valuable Windows Events to be collected such as AppLocker or EMET events, user and service creation events, PowerShell commands, etc. We will discuss how to properly configure Advanced Audit Policy Settings, see how to collect events with Windows Event Forwarding (WEF) and how to set up Sysmon for advanced application and process monitoring.
Once we have the list of events we need, we will see a few simple PowerShell commands and modules that can help us slice and dice Event Logs like Get-WinEvent. We will also test scripts and tools that are made for monitoring and detection, such as DeepBlueCLI. Finally, we will use the free Power BI Desktop to build nice dashboards to give us a better overview of the data we are collecting.