1
00:00:02,470 --> 00:00:08,570
Once you've configured security logs we used group rules for the configuration and it's actively logging

2
00:00:08,570 --> 00:00:09,530
events.

3
00:00:09,620 --> 00:00:18,440
It's still only half a battle one the other half is browsing through the logs on a regular basis.

4
00:00:18,480 --> 00:00:23,610
Many people enable the monitoring of large number of events in their systems but few actually read the

5
00:00:23,610 --> 00:00:24,990
logs regularly.

6
00:00:26,620 --> 00:00:32,860
As we said in one of the previous lectures the fundamental benefit to version strategy gives us is that

7
00:00:32,860 --> 00:00:35,710
we have more time to detect an act of attack attempt.

8
00:00:38,140 --> 00:00:42,440
During this time we need to be able to browse through the event logs.

9
00:00:42,530 --> 00:00:48,720
If you only catch up with your logs once every two months this makes for a very optimistic assumption.

10
00:00:51,000 --> 00:00:56,750
Unfortunately there is a very large amount of data in the logs and the used file format is quite unsightly.

11
00:00:58,030 --> 00:01:00,570
This is why nobody ever wants to read the logs.

12
00:01:02,200 --> 00:01:10,150
One way out could be provided by the use of additional tools for example such as log parser.

13
00:01:10,330 --> 00:01:15,560
The parser enables us to retrieve data not only from event logs but also from system logs and other

14
00:01:15,560 --> 00:01:16,880
applications.

15
00:01:17,920 --> 00:01:21,800
This can be done through pseudo Eskew all queries.

16
00:01:21,960 --> 00:01:24,330
You can specify your points of interest.

17
00:01:24,330 --> 00:01:29,700
The computer from which logs are to be queried and the types of event information that should be retrieved

18
00:01:32,430 --> 00:01:37,190
versatile tool also generates collective reports and presents them as DML reports

19
00:01:41,650 --> 00:01:48,980
another feature of the utility groups certain event types selected groups can be later viewed in an

20
00:01:48,980 --> 00:01:54,420
output chart form.

21
00:01:54,440 --> 00:02:00,990
The solution might help you profile a normal user activity in your system's you'll be able to view the

22
00:02:00,990 --> 00:02:06,450
log ons and log on ours and also see the average number of successful and failed attempts to access

23
00:02:06,450 --> 00:02:07,910
specific files.

24
00:02:08,800 --> 00:02:14,410
If you have a security baseline like that at your disposal you'll be more comfortable in detecting all

25
00:02:14,410 --> 00:02:16,150
deviations from the pattern.

26
00:02:18,730 --> 00:02:25,420
If there's no baseline untypical user behaviors or a change in the system behavior will be a lot harder

27
00:02:25,420 --> 00:02:26,420
to pinpoint.

28
00:02:27,570 --> 00:02:32,730
You'll not be able to tell if there is an attack or if the anomalies are simply due to increased user

29
00:02:32,730 --> 00:02:33,690
activity.

30
00:02:34,460 --> 00:02:37,580
For example a surge that occurs in the last week of a month

31
00:02:40,310 --> 00:02:42,110
having collected the data.

32
00:02:42,350 --> 00:02:47,560
You can audit user activity which means checking whether they conform to your security policy.

33
00:02:55,370 --> 00:03:01,850
The logged events will help you detect various attacks including external attacks.

34
00:03:01,860 --> 00:03:08,480
You can also investigate an attack and prepare evidence this topic will be covered in greater length

35
00:03:08,570 --> 00:03:09,060
in a minute

36
00:03:14,660 --> 00:03:19,550
the above picture shows an example of a query that retrieves events of a selected type from the security

37
00:03:19,550 --> 00:03:25,200
log filters amusing as skewl expression.

38
00:03:25,250 --> 00:03:28,610
In this case we're interested in Administrator account logons.