Scribd Logo
Upload

Welcome to Scribd!

  • 61 views

    Security Incident Log Review Checklist

    Uploaded by

    ryu_kusanagi
    This document provides a checklist for reviewing critical logs during a security incident investigation. It outlines general steps such as identifying relevant log sources, removing routine entries, focusing on recent changes and failures, and correlating activities across logs. The checklist then provides examples of specific events and log entries to look for on different system types, including Linux, Windows, web servers, and network devices. It lists things like successful and failed login/authentication attempts, user and service status changes, traffic allowed or blocked by firewalls, and error codes. Potential log sources are also identified, such as operating system, application, security tool, proxy, and end-user logs. The document recommends considering non-log sources and provides additional online

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Security Incident Log Review Checklist

    Uploaded by

    ryu_kusanagi
    61 views1 page
    This document provides a checklist for reviewing critical logs during a security incident investigation. It outlines general steps such as identifying relevant log sources, removing routine entries, focusing on recent changes and failures, and correlating activities across logs. The checklist then provides examples of specific events and log entries to look for on different system types, including Linux, Windows, web servers, and network devices. It lists things like successful and failed login/authentication attempts, user and service status changes, traffic allowed or blocked by firewalls, and error codes. Potential log sources are also identified, such as operating system, application, security tool, proxy, and end-user logs. The document recommends considering non-log sources and provides additional online

    Original Description:

    Original Title

    security-incident-log-review-checklist

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides a checklist for reviewing critical logs during a security incident investigation. It outlines general steps such as identifying relevant log sources, removing routine entries, focusing on recent changes and failures, and correlating activities across logs. The checklist then provides examples of specific events and log entries to look for on different system types, including Linux, Windows, web servers, and network devices. It lists things like successful and failed login/authentication attempts, user and service status changes, traffic allowed or blocked by firewalls, and error codes. Potential log sources are also identified, such as operating system, application, security tool, proxy, and end-user logs. The document recommends considering non-log sources and provides additional online

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    61 views1 page

    Security Incident Log Review Checklist

    Uploaded by

    ryu_kusanagi
    This document provides a checklist for reviewing critical logs during a security incident investigation. It outlines general steps such as identifying relevant log sources, removing routine entries, focusing on recent changes and failures, and correlating activities across logs. The checklist then provides examples of specific events and log entries to look for on different system types, including Linux, Windows, web servers, and network devices. It lists things like successful and failed login/authentication attempts, user and service status changes, traffic allowed or blocked by firewalls, and error codes. Potential log sources are also identified, such as operating system, application, security tool, proxy, and end-user logs. The document recommends considering non-log sources and provides additional online

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 1

    CRITICAL LOG REVIEW CHECKLIST FOR What to Look for on Linux Bytes transferred “Teardown TCP connection …

    SECURITY INCIDENTS Successful user login “Accepted password”, (large files?) duration … bytes …”
    “Accepted publickey”, Bandwidth and “limit … exceeded”,
    This cheat sheet presents a checklist for reviewing "session opened”
    critical logs when responding to a security incident. It protocol usage “CPU utilization”
    can also be used for routine log review. Failed user login “authentication failure”, Detected attack “attack from”
    “failed password” activity
    General Approach User log-off “session closed” User account “user added”, “user deleted”,
    1. Identify which log sources and automated tools User account change “password changed”, changes “User priv level changed”
    you can use during the analysis. or deletion “new user”, Administrator “AAA user …”,
    2. Copy log records to a single location where you “delete user” access “User … locked out”,
    will be able to review them. “login failed”
    Sudo actions “sudo: … COMMAND=…”
    3. Minimize “noise” by removing routine, repetitive
    “FAILED su” What to Look for on Web Servers
    log entries from view after confirming that they
    are benign. Service failure “failed” or “failure” Excessive access attempts to non-existent files
    4. Determine whether you can rely on logs’ time What to Look for on Windows Code (SQL, HTML) seen as part of the URL
    stamps; consider time zone differences. Event IDs are listed below for Windows 2000/XP. For Access to extensions you have not implemented
    5. Focus on recent changes, failures, errors, status Vista/7 security event ID, add 4096 to the event ID. Web service stopped/started/failed messages
    changes, access and administration events, and Most of the events below are in the Security log; Access to “risky” pages that accept user input
    other events unusual for your environment. many are only logged on the domain controller. Look at logs on all servers in the load balancer pool
    6. Go backwards in time from now to reconstruct Error code 200 on files that are not yours
    User logon/logoff Successful logon 528, 540;
    actions after and before the incident.
    events failed logon 529-537, 539; Failed user authentication Error code 401, 403
    7. Correlate activities across different logs to get a logoff 538, 551, etc
    comprehensive picture. Invalid request Error code 400
    User account changes Created 624; enabled 626;
    8. Develop theories about what occurred; explore Internal server error Error code 500
    changed 642; disabled 629;
    logs to confirm or disprove them. deleted 630 Other Resources
    Potential Security Log Sources Password changes To self: 628; to others: 627 Windows event ID lookup: www.eventid.net
    Server and workstation operating system logs Service started or 7035, 7036, etc. A listing of many Windows Security Log events:
    Application logs (e.g., web server, database server) stopped ultimatewindowssecurity.com/.../Default.aspx
    Security tool logs (e.g., anti-virus, change detection, Object access denied 560, 567, etc Log analysis references: www.loganalysis.org
    intrusion detection/prevention system) (if auditing enabled) A list of open-source log analysis tools:
    Outbound proxy logs and end-user application logs securitywarriorconsulting.com/logtools
    What to Look for on Network Devices
    Remember to consider other, non-log sources for Anton Chuvakin’s log management blog:
    Look at both inbound and outbound activities.
    security events. securitywarriorconsulting.com/logmanagementblog
    Examples below show log excerpts from Cisco ASA
    Typical Log Locations Other security incident response-related cheat
    logs; other devices have similar functionality.
    sheets: zeltser.com/cheat-sheets
    Linux OS and core applications: /var/log
    Traffic allowed on “Built … connection”,
    Windows OS and core applications: Windows Event firewall “access-list … permitted”
    Log (Security, System, Application)
    Traffic blocked on “access-list … denied”,
    Network devices: usually logged via Syslog; some use
    firewall “deny inbound”; “Deny … by”
    proprietary locations and formats

    Authored by Anton Chuvakin (chuvakin.org) and Lenny Zeltser (zeltser.com). Reviewed by Anand Sastry. Distributed according to the Creative Commons v3 “Attribution” License.
    Cheat sheet version 1.0.

    You might also like