• Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Menu
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
Search
Close
  • Home
  • 2019
  • April
  • 30
  • Better Visibility for an Analyst to Handle an Incident with Event ID

Better Visibility for an Analyst to Handle an Incident with Event ID

April 30, 2019July 7, 2019 Comments Off on Better Visibility for an Analyst to Handle an Incident with Event ID
how to handle incident response siem siem incident response

We are in the complex world where attacks are increasing day by day, so today the cyber intelligence depends on siem as a part of infosec (security incident and event management).

Most companies depend on logs and packets to have a better view.. above 90 % of them are working with logs rather than packets. People, process, and technology will be a triangle for security operations.

From this article, you will be knowing that what are logs and how they are parsed through SIEM for better visibility for an analyst to handle an incident.

Logs are the essential part of each device. logs are meaningful elements which can show relevant information about end-user activities to security analyst under SOC(Security Operation Center) and it is also part of the review for audit and compliance.

Let’s take the scenario that the Windows operating system may be your event source and Analyst at another end. What are the activities you are performing from power on to power off will be logged and logs will be sent to Security Operation Center. Users unusual activities will be recorded as an incident in Security operation center.

Logs are three types which will be triggered according to your activities performed in your system

Also read: SilkETW – Threat Intelligence Tool to Capture and Analyze Windows Events Logs

Types of logs in windows?

In specific with windows logs are three type system, security, and application

Application log

Each application will have their logs, which will be triggered when it contains errors or warning will be sent to SOC for review.

Security log

Suspicious User activities for account success and failure logins will be logged and process creation, termination for each and every file accessed by user account logged will be logged into this category.

System log

Logs which footprinting the process of kernel boot, driver updates or failure, windows update and more interesting things will be logged into system log category.

Since security is our concern, we will discuss security logs, look below the figure for better understanding, In this screenshot analyst is analyzing a log for windows event sources.

As I told earlier Siem is built for visibility so, whatever security issues happening with end users should be triggered to Security operation center.

In the above picture, an analyst has clear visibility of end user activities.In this, we can see the event id is 4720.

When a new user account is created for domain accounts or local SAM accounts.Event logs will be established with event id 4720 with respect to new user account creation.

There are similar evil Id’s for hackers 😀

EVENT ID 4725: User account deleted

When user account was disabled in local or domain accounts this event id will be triggered in event sources and it will be pushed to siem server for visibility.

A user account was disabled

Subject
Security ID:  WIN- G5GS6SG\Administrator
Account Name:  Administrator
Account Domain:  WIN- G5GS6SG
Logon ID:  0x1fd23

Target Account:
Security ID:  WIN-G5GS6SG\BALA
Account Name:  BALA
Account Domain:  WIN-G5GS6SG

Event ID 4625: An account failed to log on

Suspicious guessing for username and password will be triggered with this event id as an unknown or bad password to the analyst.

An account failed to log on.

Subject:
 Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name:  BALA
Account Domain:  
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
 Workstation Name: WIN-ADMIN
Source Network Address: 192.168.0.100
Source Port:  53176
Detailed Authentication Information:
 Logon Process:  NTLMSSP 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length:  0

Event ID 4726: User account deleted

When user account was deleted in local or domain accounts this event will be recorded and forwarded to the analyst.

A user account was deleted.

Subject:
Security ID:  WIN-G6R56\Administrator
Account Name:  Administrator
Account Domain:  WIN-G6R56
Logon ID:  0x1fd23

Target Account:
Security ID:  WIN-G6R56\BALA
Account Name:  BALA
Account Domain:  WIN-G6R56

Event ID 4608: Windows is starting up

Windows startup or power on will be logged in with respect to the username and will be triggered by the analyst.Cybersecurity analyst will know when you have logged in and logged out timing.

Example:
Windows is starting up.
This event is logged when LSASS.EXE starts and the auditing subsystem is 
initialized.

Event ID 4624: Successful network login

Any successful logins within your network or outside the network will be logged, if it’s your network admin no issues if not it might be a compromise.Should respond as soon as possible.

An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3

Impersonation Level: Impersonation

New Logon:
Security ID: ADMIN\BALA
Account Name: BALA
Account Domain: ADMIN
Logon ID: 0x894B5E95
Logon GUID: {ghf73-h56f-5f11-29b8-hf6738hj}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: 
Source Network Address: 192.168.1.1
Source Port: 59752

Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Event ID 4625: Account locked out for failure attempts

Failed login attempts to the same account will be locked and logged as the event will be investigated for policy violation.

An account failed to log on.

Subject:
Security ID:  NULL SID
Account Name:  -
Account Domain:  -
Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name: BALA
Account Domain:  
Failure Information:
Failure Reason:  Unknown user name or bad password.
Status:   0xc000006d
Sub Status:  0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
 Workstation Name: WIN-ADMIN
Source Network Address: 192.168.1.1
Source Port:  53176
Detailed Authentication Information:
 Logon Process:  NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length:  0

Event ID 1102: Audit logs were cleared

When security, system or application logs are cleared or deleted it will be logged for investigation further forensics methods can be used to retrieve logs.

The audit log was cleared
Account For Which Logon Failed:
Security ID:  NULL SID
Account Name: BALA
Account Domain:
Logon ID: 0x169e9
Also read: RedELK – Red Team’s SIEM

In general SIEM tool collects logs from devices present in the Organization’s infrastructure. Some solutions also collect NetFlow and even raw packets.

With the collected data(mainly logs, packets), the tool provides an insight into the happenings of the network.

Post navigation

How to Build and Run a Cyber Security Operations Center
Security Information and Event Management (SIEM) – A Detailed Explanation

Related Articles

Woman Sentenced to 151 Months in Prison for Selling GHB

Woman Sentenced to 151 Months in Prison for Selling GHB

- Dark Web News
August 16, 2022
Brazilian Crypto Investment Platform Suspends Withdrawals

Brazilian Crypto Investment Platform Suspends Withdrawals

- Dark Web News
August 15, 2022
International Crypto Exchanges Blocked in Uzbekistan

International Crypto Exchanges Blocked in Uzbekistan

- Dark Web News
August 13, 2022
hacker gadgets
hacker phone covers

Recent Posts

dnstwist v20201228 releases: Domain name permutation engine for detecting typo squatting, phishing and corporate espionage

dnstwist v20220815 releases: Domain name permutation engine for detecting typo squatting, phishing and corporate espionage

August 16, 2022
RPCMon: RPC Monitor tool based on Event Tracing for Windows

RPCMon: RPC Monitor tool based on Event Tracing for Windows

August 16, 2022
Woman Sentenced to 151 Months in Prison for Selling GHB

Woman Sentenced to 151 Months in Prison for Selling GHB

August 16, 2022
riskscanner: Open source multi-cloud security compliance scanning platform

riskscanner: Open source multi-cloud security compliance scanning platform

August 15, 2022
Brazilian Crypto Investment Platform Suspends Withdrawals

Brazilian Crypto Investment Platform Suspends Withdrawals

August 15, 2022
RedGuard - C2 Front Flow Control Tool, Can Avoid Blue Teams, AVs, EDRs Check

RedGuard – C2 Front Flow Control Tool, Can Avoid Blue Teams, AVs, EDRs Check

August 15, 2022

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Join Our Community!

Please wait...
Get the latest News and Hacking Tools delivered to your inbox.
Don't Worry ! You will not be spammed

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

ABOUT US

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Our primary focus revolves around the latest tools released in the Infosec community and provide a platform for developers to showcase their skillset and current projects.

COMPANY
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Menu
  • Contact Us
  • Disclaimer
  • Hacker Gadgets
  • LANC Remastered
  • PCPS IP Puller
  • Privacy Policy
  • Sitemap
  • Submit your Tool
Live Chat
RESOURCES
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Menu
  • Attack Process
  • Become a Hacker
  • Career Pathways
  • Dark Web
  • Hacking Books
  • Practice Your Skills
  • Recommended Courses
  • Simple Setup – Hacker 101
Get Started
TOOLBOX
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Menu
  • Anonymity
  • Bruteforce
  • DoS – Denial of Service
  • Information Gathering
  • Phishing
  • SQL Injection
  • Vulnerability Scanners
  • Wifi Hacking
Tools Directory

2014 – 2020 | Haxf4rall.com               Stay Connected:

Facebook Twitter Google-plus Wordpress
Please wait...

Join Our Community

Subscribe now and get your free HACKERS HANDBOOK

Don't Worry ! You will not be spammed
SIGN UP FOR NEWSLETTER NOW