Exabeam: The Role of logs in Cybersecurity

    08/10/2024ExabeamNewsSIEM
    Exabeam: The Role of logs in Cybersecurity

     Logging has always been a de facto piece of the cybersecurity story for any organization. Logs are the digital fingerprint of an intrusion attempt and can provide anything from a tidbit of information to the comprehensive story behind a breach.

     However, certain types of logs are often excluded, and, if enabled, not even used effectively. We’ll focus on the top logs that are overlooked across most organizations and suggest some specific logs or services to get you started.

    Not all logs are created equal, so we’re going to break this up into five areas of logging (primarily Windows-focused) that can provide immense value to any organization looking to improve its cybersecurity posture in terms of visibility and enforcement.

    Authentication logs

    Successful Logins

    Sure, successful logins might not make headlines, but they’re the backbone of any security infrastructure. They help ensure that the right people are getting access to the right resources at the right time. Think of them as the unsung heroes quietly keeping your digital vault safe from intruders.

    Sample logs to prioritize: 

    • Windows Event Log (Event ID 4624 – Successful Logon)
    • Windows Authentication Log (Event ID 4776 – Successful Credential Validation)
    • Windows Event Log (Event ID 4648 – A logon was attempted using explicit credentials)
    • Window Event Log (Event ID 4768 – A Kerberos authentication ticket was requested)
    • VPN Login Events (Vendor-specific logs)
    • Linux Auth Log (/var/log/auth.log)
    • Linux Syslog (/var/log/syslog)

    Across Windows and Linux systems respectively, these logs record successful logon events, including interactive logons via the console, network logons such as VPN, and authentication using NTLM, Kerberos, SSH or other authentication protocols, as well as system messages and context for successful logins. Combining successful login attempts with the context of privileged user accounts can greatly expand your visibility into intrusion potential and overall criticality.

    Failed Login Attempts 

    Failed login attempts; often overlooked, yet oh-so-important. These little nuggets of information can be your early warning system against potential threats. They reveal when someone is trying to breach your defenses, giving you the chance to thwart their dastardly plans before they can do any real damage.

    Sample logs to prioritize: 

    • Windows Event Log (Event ID 4625 – Failed Logon)
    • Windows Authentication Log (Event ID 4771 – Kerberos Authentication Service Failed)
    • Linux Auth Log (/var/log/auth.log)
    • Linux Syslog (/var/log/syslog)

    Failed login attempts can seem like something to ignore, but the reality is that they will happen much more frequently than successful login attempts in most data breach scenarios. These logs can detect brute force attempts and can be combined with successful logins to paint the broader picture of an intrusion attempt. A key area of focus for Kerberos authentication failures would be your Domain Controllers, which hold the keys to your entire domain infrastructure and are often the most sought-after targets.

    Account Lockouts and Changes 

    Account lockouts might seem like a minor inconvenience, but they can be your best friend when it comes to disrupting cyberattacks. Think of them as the bouncers at an exclusive club, keeping out anyone who doesn’t have a VIP pass. By monitoring account lockouts, you can spot suspicious activity and lock down your system before it’s too late. Furthermore, account changes, such as creations or deletions, can be strong indicators of lateral movement and cleanup activities.

    Sample logs to prioritize: 

    • Windows Event Log (Event ID 4740 – User Account Lock Out
    • Windows Event Log (Event ID 4720 – A user account was created)
    • Windows Event Log (Event ID 4726 – A user account was deleted)
    • Windows Event Log (Event ID 4738 – A user account was changed)

    Windows does a great job of tracking user account lockouts and changes, as well as the reasons behind them. These event codes can be a very effective tool, especially when combined with failed or successful login attempts, to track down that annoying teenager trying to sneak back into the club.

    Network traffic logs

    Network traffic logs encompass a huge variety of logs, and it’s difficult to pinpoint just a few that provide the best visibility. They include both north/south (inbound and outbound traffic to your network) as well as east/west (lateral movement inside your network) activities for an attacker, and all directions are important.

    Some of the logs to start monitoring include: 

    • DNS Queries
    • Network Protocol Activities (i.e RDP logins, file share access, SMB)
    • Network Security Device Logs (i.e Firewall, IPS/IDS)
    • Database Audit
    • Web Server Activity
    • Web Proxy
    • Email Server Message Tracking
    • VPN Connections

    There are too many logs in these categories to list, so we leave it to the reader to exercise judgment in prioritizing specific network logs. Ensure an appropriate balance between N/S and E/W traffic monitoring to provide the best visibility.

    System logs

    System Startups/Shutdowns 

    Every system has its own rhythm; its own cycle of starting up and shutting down. Monitoring system startup and shutdown events in your system logs can provide valuable insights into the health and stability of your infrastructure. Sudden or unexpected shutdowns could be a sign of hardware failure or a malware infection, while repeated startup failures could indicate a deeper underlying issue that needs attention. In Windows, for example, the Event Viewer tracks system startups and shutdowns and the relevant logs.

    Sample logs to prioritize:

    • Windows Event Log (Event ID 6005 and 6006 – Startup and Shutdown)
    • Linux Syslog (/var/log/syslog) – Startup and Shutdown

    Software Installations 

    Software installations are the key to creating new features and adding functionality to your systems, but they can also be a potential security risk if not monitored properly. By keeping an eye on software installation events in your system logs, you can detect unauthorized or malicious software installations before they cause the entire building to come crashing down.

    Windows Installer Logging records information about the installation and uninstallation of software packages using Windows Installer technology. This log can provide detailed information about the installation process, including which files were installed, registry changes made, and any errors encountered during installation.

    System Errors 

    System errors may not be the most glamorous part of system logs, but they’re one of the most important. From hardware failures to software bugs, system errors can be a sign that something is seriously wrong with your infrastructure. By monitoring system error events in your system logs, you can catch potential issues before they escalate into full-blown disasters.

    Like the two categories prior, system errors can be tracked and monitored via the Event Viewer and corresponding logs in Windows, and syslog in Linux environments.

    Application logs

    User Actions 

    Monitoring user actions in your application logs can provide valuable insights into how your users interact with your software. From login attempts to feature usage, tracking user actions can help you detect anomalies and identify potential security threats, such as unauthorized access or unusual behavior.

    Sample logs to prioritize:

    • System audit, web server access, and application-specific audit
    • Windows Event Log (Event ID 4765 – System audit policy was changed)

    API Calls 

    API calls can be thought of as the secret handshakes that allow different software systems to communicate with each other. Monitoring API calls in your application logs can help you keep tabs on how your applications are interacting with external services and resources. By tracking API calls, you can detect unauthorized access attempts, potential security vulnerabilities, or even signs of a data breach.

    Sample logs to prioritize:

    • API Gateway, API server, and API client
    • Windows Event Log (Event ID 5156 – Filtering Platform Connection)
    • Windows Event Log (Event ID 5158 – Filtering Platform Packet Drop)
    • Windows Event Log (Event ID 4688 – A new process has been created)

    Error Logs 

    From coding bugs to server issues, error logs can be a sign that something is amiss in your application. By monitoring error logs in your application logs, you can catch potential issues before they have a chance to impact your users or your business.

    Sample logs to prioritize:

    • System error, application error, and database error
    • Windows Event Log (Event ID Event ID 6008 – Unexpected Shutdown)
    • Windows Event Log (Event ID 1001 – Windows Error Reporting)
    • Windows Event Log (Event ID 1000 – Application Error)

    File integrity logs 

    File Modifications 

    File modifications appear innocuous at first glance, but they can hold crucial insights into the integrity of your digital assets. Monitoring file modifications in your integrity logs allows you to track changes made to important files and directories. Whether it’s an unauthorized edit, a suspicious alteration, or even a benign update gone wrong, keeping an eye on file modifications helps you maintain the integrity and security of your data.

    Sample logs to prioritize:

    • Windows Event Log (Event ID 4663 – An attempt was made to access an object)
    • Windows Event Log (Event ID 4656 – A handle to an object was requested)
    • Windows Event Log (Event ID 4660 – An object was deleted)

    A combination of these essential logs provides a birds-eye view to some of the most interesting events related to file modifications. A large volume of access, write, or deletion events might indicate the presence of malware or ransomware.

    Access Permissions Changes 

    Simply stated, access permissions changes control who, in the words of Tolkien’s gray wizard, shall or shall not pass. Monitoring access permissions changes in your integrity logs enables you to track alterations to file permissions and ownership. This oversight helps you detect unauthorized access attempts, insider threats, or even accidental misconfigurations that could compromise the confidentiality and availability of your data. It might even help you defeat a Balrog.

    Sample logs to prioritize:

    • Windows Event Log (Event ID 4670 – Permissions on an object were changed)
    • Windows Event Log (Event ID 4704 – A user right was assigned)
    • Windows Event Log (Event ID 4738 – A user account was changed)

    Access permissions changes are very often overlooked, and even more often misconfigured. Many significant historical breaches were achieved through incorrectly managed or configured accounts. Logging these important activities is critical.

    File Deletions 

    File deletions  aren’t always routine cleanup —  they can also signify potential data loss or malicious activity. Monitoring file deletions in your integrity logs allows you to track when and by whom files are removed from your system. Keeping tabs on file deletions helps you safeguard your critical assets and maintain data integrity in the face of accidental deletion, intentional sabotage, or even a cybercriminal attempting to cover their tracks.

    Sample logs to prioritize:

    • Windows Security Event Log (Event ID 4663 – An attempt was made to access an object)
    • Windows Security Event Log (Event ID 4660 – An object was deleted)
    • Windows Security Event Log (Event ID 5145 – A network share object was checked to see whether client can be granted desired access)

    It’s easy to “sleep through” the complex task of developing an effective log management strategy, but we hope this article has given you an idea of ​​its importance. Although it is worth noting that the list of journals here is not exhaustive.

    About Exabeam

    Exabeam is a global cybersecurity leader that delivers AI-driven security operations. The company was the first to put AI and machine learning in its products to deliver behavioral analytics on top of security information and event management (SIEM). Today, the Exabeam Security Operations Platform includes cloud-scale security log management and SIEM, powerful behavioral analytics, and automated threat detection, investigation and response (TDIR). Its cloud-native product portfolio helps organizations detect threats, defend against cyberattacks, and defeat adversaries. Exabeam learns normal behavior and automatically detects risky or suspicious activity so security teams can take action for faster, more complete response and repeatable security outcomes.

    For more information or to order test solutions