The most recent content from our members.
Hello, Could somebody provide a rule-set to track users logging into their Windows box? I understand that the LogonType needs to include Windows Machine, but I do not see any logs of mine that do so. Everything is Windows Batch and Windows Network. What are the prerequisites to manage something like this? Please let me…
Hi Team. I'm trying to setup Event Log Forwarder on Windows 2016 to log EventViewer message to my syslog-ng (linux). The syslog server port (UDP) and ip are configured correctly. The EventViewer filter is return the properly information. But nothing happens. any ideas? Thanks
In the final blog of this series, we’ll look at ways to integrate Windows event logs with other telemetry sources to provide a complete picture of a network environment. The most common way of doing this is by forwarding event logs to a syslog server or SIEM tool. The benefits of telemetry consolidation are: * Scalability…
Over the last three posts, we’ve looked at Microsoft event logging use cases and identified a set of must-have event IDs. Now we’re ready to put our security policy in place. This blog will walk you through configuring event logging on client workstations, and creating a subscription on a central log collection device.…
Anyone who has looked at the number of event IDs assigned to Windows events has probably felt overwhelmed. In the last blog, we looked at some best practices events that are a great start to providing contextual data in the event of a security breach. For example, repeated login failures, attempted privilege escalations,…
Can you have too much of a good thing? Maybe not, but you can certainly have too much of the wrong thing. In my first blog, I introduced the idea that Microsoft event logging from workstations can be a simple first step to building a security policy that looks beyond the perimeter. The simplicity comes from the fact that…
We’ve all heard the saying, "What you see is what you get." Life isn’t quite so simple for those focused on security, as what you don’t see is more likely to be what you get. Luckily, there are places to gain visibility in places that are often overlooked. Security policies have always included the protection of key assets…
OK, so here's the scenario. Due to internal company policy I cannot install native LEM agent on our Domain Controller (Windows 2012). So that means I cannot just add this node to LEM console and start collecting events, set up rules, etc, etc... Now, instead, I was offered the following workaround - run a scheduled task on…
It looks like you're new here. Sign in or register to get started.