By John McCann, Co-Founder of Visual Click Software
Windows Event Logs (WELs) for Active Directory provide information that helps reduce unwanted events — or that signals a cyberattack. Effective usage of WELs requires two important ingredients.
There are multiple methods to implement WELs. System access control lists (SACLs) must be created for those objects and child objects to be monitored, and there are numerous categories of refinements to aid in the reduction of unwanted or even benign events. Alerts can be defined but require the user to know specific event code(s) and event sources to alert.
Once collected, logged events must be analyzed. The WEL native “event viewer” includes the ability to perform ad-hoc analysis of recorded events, but requires users to be versed in what data they want to extract. Many organizations do not have employees well versed in either implementation or analysis of WELs. Further, many consider log analysis to be a reactive process, something to be accomplished once a concern has been discovered, usually via other means. Without processes designed to routinely or actively monitor event logs, their effectiveness is greatly diminished, and they become more of a method to document historical evidence for later use.
Please log in or register below to read the full article.