Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jessica Payne Microsoft Global Incident Response and Recovery

Published byJean Wade Modified over 8 years ago

Similar presentations

Presentation on theme: "Jessica Payne Microsoft Global Incident Response and Recovery"— Presentation transcript:

1

2 Jessica Payne Microsoft Global Incident Response and Recovery
Windows Event Forwarding – Centralized logging for everyone! Jessica Payne Microsoft Global Incident Response and Recovery INF327

3 Logging : The hardest simplest thing.

4 Venn Diagram of Common Monitoring Strategies
All the things!!!!!! (too much data, no context) Very few/None of the things This space intentionally left blank.

5 Trends with logs during Incident Response
No centralized logging Not monitoring endpoints/member servers (often just DCs) Spamming logs with extra data Not logging key events Logs roll too quickly Those with centralized logging still missing data, takes too long for IT admins to get reports

6 The Incident Response tools we wish we had
Microsoft Ignite 2015 4/27/ :07 AM The Incident Response tools we wish we had (Those are time machines.) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Windows Event Forwarding
Solution! Windows Event Forwarding

8 Fabulous Whitepapers! Spotting the Adversary with
Windows Event Log Monitoring potting_the_adversary_with_window s_event_log_monitoring.pdf

9 Benefits Built in –we have amazing products, but you already have this one Configured via GPO Uses Windows Remote Management (Kerberos) Can (and should be) targeted to specific events Native evtx (xml) log format “Push” log mode – less attack surface IT admins control their own logging destiny

10 WEF Architecture 10 Subscription Request Subscription Request

11 Pre-reqs “Server” required GPO
Local Network service needs to be granted read to the Security logs WinRM needs to be started on clients (just started, not configured)

12 Configuring WEF

13 What to monitor? Security logs being cleared
Local group changes/High value domain group changes Creation of local accounts Password changes not done by LAPS (or other password management software) Lateral account movement (need protective controls to serve as detective controls) Application crashes Service installation

14 Configuring Monitoring

15 Extensibility Works great with other SIEM investments
SCOM for alerting Azure Operational Insights Or PowerBI!

16 PowerBI dashboards

17 Resources/Shoutout http://blogs.technet.com/b/kfalde/
Everything you need to create cool X-Path filters and PowerBI dashboards.

18 Questions? @jepayneMSFT

19 Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.

20 Continue your Ignite learning path
Microsoft Ignite 2015 4/27/ :07 AM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit Visit Channel 9 to access a wide range of Microsoft training and event recordings Head to the TechNet Eval Centre to download trials of the latest Microsoft products © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21

Download ppt "Jessica Payne Microsoft Global Incident Response and Recovery"

Similar presentations

Jan Peterson Microsoft Dynamics CRM Mobility Update - Productivity on the Go PRD24 1.

Jan Peterson Microsoft Dynamics CRM Mobility Update - Productivity on the Go PRD24 1.
Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.

Pierre Sleep tight knowing you’re prepared for outages Protect your environment with Azure ARC32 4.
Cory Banks Beyond Deployment How IT Can Inspire, Motivate, and Drive Sustainable Adoption PRD32 5.

Cory Banks Beyond Deployment How IT Can Inspire, Motivate, and Drive Sustainable Adoption PRD32 5.
Jordan Knight Developing for the Microsoft Band MOB342.

Jordan Knight Developing for the Microsoft Band MOB342.
Jessica Payne Microsoft Global Incident Response and Recovery

Jessica Payne Microsoft Global Incident Response and Recovery
Karl Thomson, StorageCraft Product Evangelist True Disaster Recovery System recovery is not enough – get true resiliency to face disasters DAT226 B.

Karl Thomson, StorageCraft Product Evangelist True Disaster Recovery System recovery is not enough – get true resiliency to face disasters DAT226 B.
Luke Notley Migrating from AWS to Azure Seamlessly CLD32 1.

Luke Notley Migrating from AWS to Azure Seamlessly CLD32 1.
Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server 2003. INF21 3.

Andrew Hennessy Automating Server Application migrations to the Cloud – Goodbye Server INF21 3.
Kevin Francis Developing on Windows Devices ARC33 2.

Kevin Francis Developing on Windows Devices ARC33 2.
Chris Hewitt Adding magic to your business with Perceptual Intelligence ARC323 B.

Chris Hewitt Adding magic to your business with Perceptual Intelligence ARC323 B.
Matt McSpirit Software-defined Networking in Windows Server 2016 INF32 4.

Matt McSpirit Software-defined Networking in Windows Server 2016 INF32 4.
Vakhtang Assatrian Asia Communications TSP Lead, Microsoft Architecture options for implementing Skype for Business PRD32 7.

Vakhtang Assatrian Asia Communications TSP Lead, Microsoft Architecture options for implementing Skype for Business PRD32 7.
Kevin Francis Azure Media Services Architecture Deep Dive CLD31 2.

Kevin Francis Azure Media Services Architecture Deep Dive CLD31 2.
Creating highly available and resilient Microservices on Microsoft Azure Service Fabric

Creating highly available and resilient Microservices on Microsoft Azure Service Fabric
Alessandro Cardoso, Microsoft MVP Creating your own “Private Cloud” with Windows 10 Hyper- V WIN443.

Alessandro Cardoso, Microsoft MVP Creating your own “Private Cloud” with Windows 10 Hyper- V WIN443.
Michael Porfirio and Chris Gondek Beyond Backup The Next Generation Commvault Data Platform DAT22 5.

Michael Porfirio and Chris Gondek Beyond Backup The Next Generation Commvault Data Platform DAT22 5.
Reid Purvis – DC & Cloud Infrastructure Tech Specialist Shivam Garg – Principal PM Manager Backing up applications born in the Cloud: Deep Dive on IaaS.

Reid Purvis – DC & Cloud Infrastructure Tech Specialist Shivam Garg – Principal PM Manager Backing up applications born in the Cloud: Deep Dive on IaaS.
Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.

Jeff Alexander & Andrew McMurray Runtime Provisioning in Windows 10 WIN327.
Chris Hewitt, Wild Mouse Male, Age 42, Happy ARC31 2.

Chris Hewitt, Wild Mouse Male, Age 42, Happy ARC31 2.
Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.

Michael Niehaus Using the Windows Store for Business: New Capabilities for Managing Apps in the Enterprise WIN335.

Similar presentations

Ads by Google