Thursday, January 22, 2015

Long Tail Analysis of Windows Event Logs



This is a demo from a portion of lecture and lab from SEC511: Continuous Monitoring and Security Operations.

Link to T510-security.evtx.

Here are the PowerShell commands:

# Black text on white background (thank you @MarkBaggett)
PS C:\> cmd /c "color f0"

# Pull all security events (Requires administrator PowerShell)
PS C:\> Get-WinEvent -LogName security

# Pull all security events, search for date, count lines  (Requires administrator PowerShell)
PS C:\> Get-WinEvent -LogName security| findstr "1/19/2015"| Measure-Object

# List all events in the file T510-security.evtx
PS C:\> Get-WinEvent -Path .\T510-security.evtx

# Show event 4624 from T510-security.evtx, format list output
PS C:\> Get-WinEvent -FilterHashtable @{Path=".\T510-security.evtx"; ID=4624}| fl

# Perform long tail analysis of T510-security.evtx
PS C:\> Get-WinEvent -Path .\T510-security.evtx| Group-Object id -NoElement| sort count

1 comment:

aa said...

Hey Eric,

Just been playing with this a bit and I found out the following after some google time, though on sharing since I've found it useful:

PS C:\Windows\system32> $logSource = 'Security'
PS C:\Windows\system32> Get-EventLog $logSource |
>> group InstanceId |
>> % {
>> $count = $_.count
>> $_.group[0] |
>> select `
>> InstanceID, `
>> @{name='Count'; exp={$count}}, `
>> @{name='Message'; exp={($_.Message -split "`n")[0]}}
>> } |
>> sort count |
>> ft -auto
>>

InstanceId Count Message
---------- ----- -------
5154 1 The Windows Filtering Platform has permitted an application or service to listen on a port for inco...
4658 2 The handle to an object was closed....
4696 8 A primary token was assigned to process....
4656 9 A handle to an object was requested....
4702 16 A scheduled task was updated....
4985 36 The state of a transaction has changed....
5157 101 The Windows Filtering Platform has blocked a connection....
5152 123 The Windows Filtering Platform blocked a packet....
5156 1713 The Windows Filtering Platform has allowed a connection....
5158 3365 The Windows Filtering Platform has permitted a bind to a local port....
4689 24424 A process has exited....
4688 24425 A new process has been created....

It adds the extra message field so it give you an idea what you are dealing with quite easily. Also, I can see this "as-is" better for SIEM or Dashboard consumption...



Maxi