Thursday, January 22, 2015

Long Tail Analysis of Windows Event Logs

This is a demo from a portion of lecture and lab from SEC511: Continuous Monitoring and Security Operations.

Link to T510-security.evtx.

Here are the PowerShell commands:

# Black text on white background (thank you @MarkBaggett)
PS C:\> cmd /c "color f0"

# Pull all security events (Requires administrator PowerShell)
PS C:\> Get-WinEvent -LogName security

# Pull all security events, search for date, count lines  (Requires administrator PowerShell)
PS C:\> Get-WinEvent -LogName security| findstr "1/19/2015"| Measure-Object

# List all events in the file T510-security.evtx
PS C:\> Get-WinEvent -Path .\T510-security.evtx

# Show event 4624 from T510-security.evtx, format list output
PS C:\> Get-WinEvent -FilterHashtable @{Path=".\T510-security.evtx"; ID=4624}| fl

# Perform long tail analysis of T510-security.evtx
PS C:\> Get-WinEvent -Path .\T510-security.evtx| Group-Object id -NoElement| sort count