Spotting the Adversary with Windows Event Log Monitoring (version 2)

Abstract: This paper focuses on using the built-in tools already available in the Microsoft Windows operating system (OS). Central event log collection requires a Windows Server operating system version 2003 R2 or above. Many commercially available tools exist for central event log collection. Using a Windows Server 2008 R2 or above server version is recommended. There are no additional licensing costs for using the event log collection feature. The cost of using this feature is based on the amount of additional storage hardware needed to support the amount of log data collected. This factor is dependent on the number of workstations within the local log collection network.

Date Published:

Last Reviewed: 16 July 2015

Version: 2

Identifier: TSA-13-1004-SG


Dissemination Control: N/A

Length: 54 page(s)

Format: pdf

Type: Reference/Overview; Report

Tags: Application Whitelisting; Authentication; Event Logging; Intrusion Detection and Prevention; Man in the Middle - MITM; Pass-the-Hash - PtH; Windows