Friday, November 27, 2020

Essential Event Log Configurations to be Corelated

Considering Windows audit event logging, there are plenty of guides available in the Internet to follow. Most of the event configurations would overlap. However, we have to consider the most optimal and practical implementation based on our business case, server capability, security requirements & experience.

    1) Microsoft audit policy recommendations
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

    2) What event ID's to monitor for AD compromise (This is a good example to show that if we already collect these events, we would be able to monitor them in SIEM)
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor

    3) Collection of event log configurations (The site contains cheat sheets for other log functionalities such as Sysmon too. If we like to cover MITRE ATT&CK techniques, that is also possible)
    https://www.malwarearchaeology.com/cheat-sheets

If we go through the above guides, we would understand that apart from the Security audit log, we can utilize several other default log files (RDP, Powershell, SMB) and external log files such as Sysmon logs, are helpful in covering the full picture.  Some of the event logs are more useful in a AD and some are more useful in a File server. Therefore, start with simple but proper security audit log configuration(e.g. CIS or Microsoft) first and get into the process. Then integrate other log files into the collection. Understand the practical issues in implementation such as log file size. Then look into the monitoring and visualization. SIEM may have a set of default use cases which is now useful after proper log configuration. If not, with your experience and business requirement, a new use case can be defined.

For Linux audit log
    1) Audit configuration rule compilation by Florian Roth. The rule set is commented and can be used as a guide to understand the required audit configurations.
    https://github.com/Neo23x0/auditd

For other Applications
    1) Consider logs such as Apache access log, MySQL or even email logs. Security team should go through the log and check whether the log is rich enough and have all the necessary data required in auditing perspective. If not, it should be improved before forwarding to the SIEM for monitoring and alert generation.

0 comments: