Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nicholas Hsiao nicholas.hsiao@hp.com Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this.

Published byErin Woods Modified over 6 years ago

Similar presentations

Presentation on theme: "Nicholas Hsiao nicholas.hsiao@hp.com Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this."— Presentation transcript:

1 Nicholas Hsiao nicholas.hsiao@hp.com
Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this template to an existing presentation, see the ArcSight presentation style guide: Questions, contact Nicholas Hsiao

2 Agenda General Approach Potential Security Log Sources
Typical Log Locations What to Look for on Linux What to Look for on Windows What to Look for on Network Devices What to Look for on Web Servers

3 General Approach

4 Identify which log sources and automated tools you can use during the analysis
Problem Most user don’t know the EPS or log per day. The Log Management tools need these information by default. ArcSight could Provide the checklist with default EPS for you With EPS, you could calculate the total log size per day/week/month/year. It will help you for long term planning Of course ArcSight do have a calculate for ArcSight log model

5 Copy log records to a single location where you will be able to review them.
Problem: Collect logs from different might need different approach, agent / agentless You also need to consider the effective , real time / batch You need to deal with different protocol, syslog, SNMP, s/ftp … ArcSight could Provide both Agent / Agentless architecture via connector architecture. Base on the requirement, ArcSight could provide different approach for same log source. ArcSight have default documents to tell customer how to configure their host, device, servers for log collections.

6 Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are begign Problem: Most log management tools just collect all the logs and put it together ArcSight could Filter the log from connector level directly. Aggregate the same logs And all the configuration could be done remotely.

7 Determine whether you can rely on logs’ time stamps; consider time zone differences
Problem: Different logs may have different logs’ time stamps format. It’s not easy for you to review these logs one by one and convert the time stamps via your eyes/brain. ArcSight could: Make it happened automatically. Add the ‘received time’ for each log, if you choose real time log collection methodology.

8 Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment. Problem: Most users don’t know the log from different devices, so you may not know how to search/query the log for ‘failures, errors, status changes…’ ArcSight could: Classify the log and provide categorization information for each log. All user need to do is query the categorization formation. It will reduce the effort of administrators.

9 Potential Security Log Source

10 Potential Security Log Sources
Server and workstation operating system logs categoryDeviceGroup=“/Operation System” Application logs (e.g., web server, database server) categoryDeviceGroup="/Application" Web Server categoryDeviceGroup="/Application " AND deviceVendor="Apache" categoryDeviceGroup="/Application " AND applicationProtocol=“http" Oracle Server categoryDeviceGroup="/Application" AND categoryObject=“/HostApplicationDatabase"

11 Potential Security Log Sources
Security tool logs (e.g. anti-virus, change detection, intrusion detection/prevention system) AntiVirus categoryDeviceGroup contains "Antivirus" Change Detection categoryBehavior CONTAINS "/Modify/Configuration“ Intrusion Detection/Prevention System categoryDeviceGroup="/IDS/Network“ Outbound proxy logs and end-user application logs Proxy: proxy deviceProduct CONTAINS "Proxy" End-user application logs : application name Remember to consider other, non-log sources for security events.

12 Typical Log Locations

13 Typical Log Locations Linux OS and core applications: /var/log
ArcSight : collect log via ‘syslog’ or via ‘agent base. Windows OS and core applications: Windows Event Log (Security, System, Application) ArcSight : Remote Collection or Install Agent Network devices: usually logged via Syslog; some use proprietary locations and formats ArcSight : syslog, or other protocols

14 What to Look for on Linux

15 What to Look for on Linux
Successful user login (“Accepted password”, “Accepted publickey”, "session opened”) name IN ["session opened", "Accepted publickey", "Accepted password"] categoryBehavior="/Authentication/Verify" AND categoryOutcome="/Success" AND categoryDeviceGroup="/Operating System" Failed user login (“authentication failure”, “failed password” ) name IN ["authentication failure", "failed password"] categoryBehavior="/Authentication/Verify" AND categoryOutcome="/Failure" AND categoryDeviceGroup="/Operating System"

16 What to Look for on Linux
User Log-off ("session closed”) deviceProduct="Unix" AND name="session closed" categoryBehavior="/Access/Stop" AND categoryOutcome="/Success" AND categoryDeviceGroup="/Operating System" AND categoryObject="/Host/Application/Service" User account change or deletion (“password changed”, “new user”, “delete user” ) name="session closed" categoryObject="/Host/Operating System" AND categoryBehavior IN ["Authentication/Delete","/Authentication/Add", "/Authentication/Modify"] AND categoryOutcome="/Success" Sudo actions (“sudo: … COMMAND=…” ,“FAILED su” ) sudo

17 What to Look for on Linux
Service failure (“failed” or “failure” ) deviceVendor="Unix" AND (failed OR failure) categoryObject="/Host/Application/Service" AND categoryOutcome="/Failure" AND deviceVendor="Unix"

18 What to Look for on Windows

19 What to Look for on Windows
Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID. Most of the events below are in the Security log; many are only logged on the domain controller. deviceProduct="Microsoft Windows" .

20 What to Look for on Windows
User logon/logoff events (Successful logon 528, 540; failed logon , 539; logoff 538, 551, etc ) Successful Logon deviceProduct="Microsoft Windows" AND (528 OR 540) deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Verify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" Failed Logon (with ArcSight search, you will find more.. i.e. 681) deviceProduct="Microsoft Windows" AND (529 OR 530 OR 531 OR 532 OR 533 OR 534 OR 535 OR 536 OR 537 OR 539) deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Verify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Failure" .

21 What to Look for on Windows
User logon/logoff events (Successful logon 528, 540; failed logon , 539; logoff 538, 551, etc ) Logoff (538, 551) deviceProduct="Microsoft Windows" AND (538 OR 551) deviceProduct="Microsoft Windows" AND categoryBehavior="/Access/Stop" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success"

22 What to Look for on Windows
User account changes (Created 624; enabled 626; changed 642; disabled 629; deleted 630) Account Create (624) deviceProduct="Microsoft Windows" AND 624 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Add" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" Account Enable (626) deviceProduct="Microsoft Windows" AND 626 Account Change (642) deviceProduct="Microsoft Windows" AND 642 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Modify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" AND deviceEventClassId CONTAINS "Security:642"

23 What to Look for on Windows
User account changes (Created 624; enabled 626; changed 642; disabled 629; deleted 630) Account Disable (629) deviceProduct="Microsoft Windows" AND 629 Account Delete (630) deviceProduct="Microsoft Windows" AND 630 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Delete" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" AND categorySignificance CONTAINS "/Informational"

24 What to Look for on Windows
Password changes (To self: 628; to others: 627 ) Password Change – Self (628) deviceProduct="Microsoft Windows" AND 628 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authentication/Modify" AND categoryObject="/Host/Operating System" AND categoryOutcome="/Success" AND categorySignificance CONTAINS "/Informational" Password Change – To others(627) deviceProduct="Microsoft Windows" AND 627

25 What to Look for on Windows
Service started or stopped (7035, 7036, etc. ) Service started deviceProduct="Microsoft Windows" AND 7035 deviceProduct="Microsoft Windows" AND categoryObject="/Host/Application/Service" AND categoryBehavior="/Execute/Response" AND categoryOutcome="/Success" AND categorySignificance ="/Normal" AND name CONTAINS "start" Service stopped deviceProduct="Microsoft Windows" AND 7036 deviceProduct="Microsoft Windows" AND categoryObject="/Host/Application/Service" AND categoryBehavior="/Execute/Response" AND categoryOutcome="/Success" AND categorySignificance ="/Normal“ AND name CONTAINS “stop"

26 What to Look for on Windows
Object access denied (if auditing enabled) (560, 567, etc ) Object Access (Open) deviceProduct="Microsoft Windows" AND 560 deviceProduct="Microsoft Windows" AND categoryBehavior="/Authorization/Verify" AND categoryDeviceGroup="/Operating System" AND categoryObject="/Host/Resource" Process Access deviceProduct="Microsoft Windows" AND 567 deviceProduct="Microsoft Windows" AND categoryBehavior="/Access" AND categoryDeviceGroup="/Operating System" AND categoryObject="/Host/Resource" AND categoryOutcome="/Success"

27 What to Look for on Network Devices

28 What to Look for on Network Devices
Look at both inbound and outbound activities. Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality. Object Access (Open) Traffic allowed on firewall (“Built … connection”, “access-list … permitted” ) ( built AND connection ) OR (access-list AND permitted) categoryBehavior="/Access" AND categoryDeviceGroup="/Firewall" AND categoryOutcome="/Success" Traffic blocked on firewall (“access-list … denied”, “deny inbound”; “Deny … by”) (access-list AND denied) OR (deny AND inbound) OR (deny AND by) categoryBehavior="/Access" AND categoryDeviceGroup="/Firewall" AND categoryOutcome="/Failure"

29 What to Look for on Network Devices
Bytes transferred (large files?) (“Teardown TCP connection … duration … bytes …” ) Teardown AND TCP AND connection AND duration AND bytes Bandwidth and protocol usage (“limit … exceeded”, “CPU utilization” ) (limit AND exceeded) OR (CPU AND utilization) Detected attack activity (“attack from” ) ATTACK AND FROM

30 What to Look for on Network Devices
User account changes (“user added”, “user deleted”, “User priv level changed” ) (USER AND ADDED) OR (USER AND DELETED) OR (USER AND PRIV AND LEVEL AND CHANGED) Administrator access (“AAA user…”, “User… locked out”, “login failed”) (AAA AND user) OR (User AND locked AND out) OR (login AND failed) (( name CONTAINS "AAA" ) AND (name CONTAINS "user" )) OR ((name CONTAINS "User") AND (name CONTAINS "locked") AND (name CONTAINS "out")) OR ((name CONTAINS "login") AND (name CONTAINS "failed"))

31 What to Look for on Web Servers

32 What to Look for on Web Servers
Excessive access attempts to non-existent deviceEventClassId=404 categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource" AND categoryOutcome="/Failure" AND categorySignificance CONTAINS "/Informational/Warning“ Code (SQL, HTML) seen as part of the URL categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource" and (name CONTAINS "<" OR name CONTAINS ">" OR name CONTAINS "='")

33 What to Look for on Web Servers
Access to extensions you have not implemented For example, if you don’t have *.exe file -- categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource" AND requestUrl CONTAINS ".exe" categoryBehavior="/Communicate/Query" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Success" AND categorySignificance="/Normal“ AND requestUrl CONTAINS ".exe" Web service stopped/started/failed messages

34 What to Look for on Web Servers
Access to “risky” pages that accept user input For example, if you have input.jsp and output.jsp files categoryBehavior="/Communicate/Query" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Success" AND categorySignificance="/Normal“ AND (requestUrl CONTAINS “input.jsp" OR requestUrl CONTAINS “output.jsp" ) Look at logs on all servers in the load balancer pool categoryDeviceGroup="/Application" AND categoryBehavior="/Access/Start" AND categoryObject="/Host/Resource"

35 What to Look for on Web Servers
Error code 200 on files that are not yours deviceEventClassId=200 categoryBehavior="/Communicate/Query" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Success" AND categorySignificance="/Normal" AND requestUrl IS NOT NULL Failed user authentication (Error code 401, 403 ) deviceEventClassId=401 OR deviceEventClassId=403

36 What to Look for on Web Servers
Invalid request (Error code 400 ) deviceEventClassId=400 categoryBehavior="/Access/Start" AND categoryDeviceGroup="/Application" AND categoryObject="/Host/Application/Service" AND categoryOutcome="/Failure“ Internal server error (Error code 500 ) deviceEventClassId=500

37 Q&A Q&A 37

38 Corporate Headquarters: 1 888 415 ARST
For template guidelines or applying this template to an existing presentation, see the ArcSight presentation style guide: Questions, contact ArcSight, Inc. Corporate Headquarters: ARST EMEA Headquarters: +44 (0) Asia Pac Headquarters:

Download ppt "Nicholas Hsiao nicholas.hsiao@hp.com Critical Log Review Checklist for Security Incidents – By ArcSight Logger For template guidelines or applying this."

Similar presentations

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.

Microsoft Server 2008 R2 Group Policies & Network Policy and Access Services.
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Security Guidelines and Management

Security Guidelines and Management
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
ManageEngine ADAudit Plus A detailed walkthrough.

ManageEngine ADAudit Plus A detailed walkthrough.
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.

Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.

Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google