Diving Deeper to Understand the Windows Event logs for Cyber Security Operation Center (SOC)

https://gbhackers.com/event-logs-cyber-security-operations-center/

Web server port, authentication for console gain access to, Web server Protocol can be quickly specified according to your environment.
Above figure reveals a setup with Web server port 6161, Snare agent port 6262 and HTTP as web server protocol for demo purpose, Its suggested setting up certificate for safe and secure connection to forward logs.
Goal Configuration.

Log Collector

Correlation Rule: failed password efforts + Followed by effective Login = Brute-force (Incident).

Audit Service makes sure snare is linked and sending out logs to SIEM.
It reveals daily average bytes of occasions transferred to SIEM.

Analytics service can be in-house or managed security service. Collecting occasion logs and examining logs with real-world attacks is the heart of the security operation

By default, snare will run at Port 6161.

A random port can likewise be selected with TCP or UDP or TLS/SSL Protocols.
Snare will request qualifications to visit. Here I have offered no authentication.
Listed below figure programs snare agent set up success and offers extra details on screen.

Snare Installation

Cyber Security operations center is securing organizations and delicate organization data of consumers. It makes sure active tracking of important assets of business with visibility, alerting and investigating threats and a holistic approach to handling risk.

Also, we suggest you to take one of the leading online course for SOC Analyst– Cyber Attack Intrusion Training|From Scratch to boost your abilities to become a SOC analyst.

Objective includes events with the different classifications which can be windows Log on/Log off, access to file or directory site, security policy change, system reboot, and shutdown.
Modify or delete particular occasions to designate a top priority( Critical, High, Low & & Information).

Its a central server to get logs from any gadgets.

Audit Service Statistics.

Connection rule & & Incidents.

NOTE: Logs can be sent out to a central server, then the central server push logs to SIEM (To lower load in SIEM this technique utilized), send out snare logs directly to SIEM( If your SIEM is capable of excellent storage for long and short-term log retention this method can be released), It recommended to configure your SIEM with port information of snare and test connection must be the successor to collect logs.

Windows 10 is forwarding event logs to your deployed SIEM or occasions can be viewed in snare console.
Each time you can not lookup and open for intrusions to your environment with snare, for this factor, we are forwarding logs to SIEM for Intelligence to detect attacks.
SIEM will be an Intelligent to trap assaulters by building an efficient correlation guideline.

In case of network failures, Soc Administrator can examine the status of service.
Security Certification– Security operations.

Network & & File Destination Configuration.

You can alter network location IP to SIEM IP or LOG COLLECTOR IP.

NOTE: Above figures programs failed attempts followed by an effective login.

To make connection encrypted and create a self-signed certificate to WEB-UI, snare representative and network destination certificate validation to develop a safe and secure method of forwarding logs to SIEM.
Restart-Service.

Occasions– Security operations.

Its time to troubleshoot and obtain logs from snare server if SIEM is not collecting Event logs from Snare agent for a while.
Above figure shows Snare services are rebooted effectively.
Events– Security operations center.

Occasions are produced by systems which are mistake codes, devices create occasions with success or failure to its regular function.so occasion logging plays a crucial function to find threats. In the company, there are numerous number and flavors of Windows, Linux, firewall programs, IDS, IPS, Proxy, Netflow, ODBC, AWS, Vmware and so on

. These gadgets normally track assaulters footprints as logs and forward to SIEM tools to analyze. In this post, will see how occasions are pressed to log collector. To know more about windows events or occasion ids refer Here.

Its a central server to get logs from any gadgets. Here I have actually released Snare Agent in Windows 10 machine. We will collect windows event logs and Detect attacks to windows 10 maker attacks utilizing Snare Agent.

Its an engine developed to write a defensive rule to find offensive men, Each guideline will be a special incident.
Example: Assume that youre a writing a rule for brute-force effort, Brute-force attempts will have continuous threads with a different passphrase to the server.
According to NOTE: failed efforts followed by a successful login.

For Demo function, I have actually been using no qualifications but it constantly suggested to use strong passwords to secure logs without a leak.
Snare Web user interface:-.

Above figure reveals destination is configured with localhost to gather and store event logs in various format SNARE, SYSLOG, CEF (Common Event Format) or LEEF (Log Event Extended Format).
By default, it will be gathering logs and saving file with snare format & & logs are forwarded to SIEM.

Events are generated by systems which are error codes, gadgets produce events with success or failure to its normal function.so occasion logging plays an essential role to discover dangers. These devices generally track aggressors footprints as logs and forward to SIEM tools to evaluate. In this short article, will see how occasions are pushed to log collector. To know more about windows events or event ids refer Here.

Above photos with Event Ids 4625 which is failed password attempt to Windows 10 machine followed by Successful 4689 Event.
List of Windows Event Ids Here.

Now your customer environment is prepared for Known usage case( Brute-force discovered), you can likewise build or compose your own usage case and deploy in your SIEM to discover advanced cyber-attacks !!!

Our windows 10 is begun sending event logs to Snare console.
Snare console is running at localhost and collecting logs from a windows device.

Gain access to Configuration.

The snare is SIEM( SECURITY INCIDENT AND EVENT MANAGEMENT) Solution for log collector and occasion analyzer in numerous operating systems Windows, Linux, OSX Apple, and supports database agent MSSQL occasions created by Microsoft SQL Server. It supports both Enterprise and Opensource Agents.