Jessica Payne Microsoft Global Incident Response and Recovery Windows Event Forwarding – Centralized logging for everyone! Jessica Payne Microsoft Global Incident Response and Recovery INF327
Logging : The hardest simplest thing.
Venn Diagram of Common Monitoring Strategies All the things!!!!!! (too much data, no context) Very few/None of the things This space intentionally left blank.
Trends with logs during Incident Response No centralized logging Not monitoring endpoints/member servers (often just DCs) Spamming logs with extra data Not logging key events Logs roll too quickly Those with centralized logging still missing data, takes too long for IT admins to get reports
The Incident Response tools we wish we had Microsoft Ignite 2015 4/27/2017 12:07 AM The Incident Response tools we wish we had (Those are time machines.) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Windows Event Forwarding Solution! Windows Event Forwarding
Fabulous Whitepapers! Spotting the Adversary with Windows Event Log Monitoring https://www.nsa.gov/ia/_files/app/s potting_the_adversary_with_window s_event_log_monitoring.pdf
Benefits Built in –we have amazing products, but you already have this one Configured via GPO Uses Windows Remote Management (Kerberos) Can (and should be) targeted to specific events Native evtx (xml) log format “Push” log mode – less attack surface IT admins control their own logging destiny
WEF Architecture 10 Subscription Request Subscription Request
Pre-reqs “Server” required GPO Local Network service needs to be granted read to the Security logs WinRM needs to be started on clients (just started, not configured)
Configuring WEF
What to monitor? Security logs being cleared Local group changes/High value domain group changes Creation of local accounts Password changes not done by LAPS (or other password management software) Lateral account movement (need protective controls to serve as detective controls) Application crashes Service installation
Configuring Monitoring
Extensibility Works great with other SIEM investments SCOM for alerting Azure Operational Insights Or . . . PowerBI!
PowerBI dashboards
Resources/Shoutout http://blogs.technet.com/b/kfalde/ Everything you need to create cool X-Path filters and PowerBI dashboards.
Questions? http://aka.ms/jessica @jepayneMSFT
Complete your session evaluation on My Ignite for your chance to win one of many daily prizes.
Continue your Ignite learning path Microsoft Ignite 2015 4/27/2017 12:07 AM Continue your Ignite learning path Visit Microsoft Virtual Academy for free online training visit https://www.microsoftvirtualacademy.com Visit Channel 9 to access a wide range of Microsoft training and event recordings https://channel9.msdn.com/ Head to the TechNet Eval Centre to download trials of the latest Microsoft products http://Microsoft.com/en-us/evalcenter/ © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.