Index

SI.NO Topic Page No

1 Keywords 4-9
2 Networking 10-12
i. OSI layers 10
ii. 3 way hand shake, 2 way hand 11
shake & 5 way hand shake
iii. I.P address 11
iv. Port and Protocols 12
3 Servers 12-13
i. DHCP Server 13
ii. DNS Server 13
iii. DNS record 13
iv. Name Server record 13
v. SMTP Server 13
4 TCP / IP Layers 14
5 Commands 14-17
6 Cyber kill chain process 18
7 Attacks 19-22
i. Malware Category 19
ii. Phishing Category 21
iii. Spoofing Category 21
iv. Authentication Category 22
v. Dos Attack 22
vi. DDos Attack 22
8 Other Attacks 23
i. Sweet32 23
ii. Heart Bleed 23
iii. Poodle Attack 23
iv. Golden Ticket 23
v. Silver Ticket 23
9 End Point Security 24-25
i. EDR Tool 24
ii. DLP Tool 24
iii. FIM Tool 25
iv. Encryption Tool 25
10 Network Security 25-26
i. DPC(Defense In Depth Control) 25
ii. NGFW 25
a) Packet Filtering 25
 b) Stateful Inspection (Deep 26
packet Analysis)
a. TCP/IP Layers 26
c) Application Gateway 26
d) IP Filtering 26
e) Malware Scan 26
11 High Availability 27
i. Basic Conditions 27
ii. Upgrading Process 27
12 VPN 28
i. Site to Site VPN 28
ii. Remote VPN 28
a) VPN Client 28
b) VPN Portal 28
c) VPN Gateway 28
13 Proxy 29
i. Forward Proxy 29
ii. Reverse Proxy 29
14 NIDS/NIPS 29
15 Application Security 29
16 Cryptography 30
i. Symmetric 30
ii. Asymmetric 30
17 OWASP Top 10 30-31
i. Broken Access Control 30
ii. Cryptography Failure 30
iii. Injection Flaws 30
iv. Insecure Design 30
v. Security Miss-Configuration 30
vi. Vulnerability Outdated 31
Component
vii. Authentication Failure 31
viii. Software Data Integrity 31
ix. Security Logging and Monitoring 31
x. Server Side Request Forgery 31
18 Framework that followed by SOC 31
19 SIEM Tool 32
20 Log Source 32
i. In Network 32
ii. In Security 32
iii. Application 32
iv. Infrastructure 32
 v. Windows Logs 32
21 Triaging 33
22 Windows Event ID’s 33-48
23 SIEM Architecture 49
i. Data Collector 49
ii. Data Processing 49
24 Retention Policy 49
25 CEF (Common Event Format) 49
26 Blocking 49
27 SOC 50
28 Incident Analysis 50-53
i. Malware Analysis 50
ii. E-mail Analysis 52
iii. Ransomware Analysis 53
29 Windows Logon 54
30 HTTP Status Code 55
 Keywords
SOC (Security Operation Centre)
1. DC (Domain Control):-

 It is a centralized server.
 It does Authentication and Authorization.
2. AD (Active Directory) :-

 The data of users or users data is stored in Active Directory.

LDAP (Lightweight Directory Access Protocol).
3. Virus / Malware:-

 It is a unwanted or Malicious software.

 Virus is also called as Malware.
4. Antivirus / Antimalware:-
 Antivirus is a wanted software which protects us from virus.
5. IDS / IPS:-

 Intrusion detection systems (IDS) and intrusion prevention systems (IPS)

constantly watch your network, identifying possible incidents and logging
information about them, stopping the incidents, and reporting them to security
administrators.

 Host  HIDS / HIPS

 Network  NIDS /NIPS
 Wireless  WIDS / WIPS
6. EDR (Endpoint detection and response) tool:-

 EDR refers to a category of tools used to detect and investigate threats on endpoints
 EDR is a new generation Antivirus.
7. MDR: - Managed Detection and Response
8. NDR: - Network Detection and Response
9. WAF: - Web Application Firewall
10. OWASP: - (Open Application Security Project)
This is a web site that shows top 10 Cyber-attacks.
11. SANS: - (System admin Audit Network Security)
This is a web site that shows top 25 Cyber-attacks.
12. NGFW (Next Generation Fire Wall):-
  NGFW monitors internet traffic (Inborn traffic and Outborn traffic)

13. MITRE:- Thus is a MIT website which tells us how the attacks takes place.
14. DLP (Tool):- Data Loss Prevention.
15. FIM:- File Integrity Monitoring
FIM prevents from deleting (or ) modifying data
16. CIA:- Confidentiality Integrity Availability

17. FIM (tool):- File Integrity Monitoring

This tool is used to make sure that the file does not get corrupted.
18. MAC:- Media Access Control
When a device (Laptop or phone) connects to a network the MAC address changes to
IP address.

19. DNS Server:- Domain Name System

 DNS converts Domain name to IP address.

20. DHCP:- Dynamic Host Configuration Protocol

It automatically provides an IP address to the host.
21. ARP:- Address Resolution Protocol
It is a protocol or procedure that connects ever-changing IP address to a fixed physical
machine address, also known as a media access control (MAC) address, in a local-area
network (LAN).
22. RARP:- Reverse Address Resolution Protocol

23. SMTP:- Simple Mail Transfer Protocol

It is a TCP/IP protocol used in sending and receiving email. SMTP is used most commonly
by email clients, including Gmail, Outlook, Apple Mail and Yahoo Mail. SMTP can send and
receive email, but email clients typically use a program with SMTP for sending email.

24. SSH: - Secure Shell

25. Telnet:- Telnet is a network protocol used to virtually access a computer and to provide a
two-way, collaborative and text-based communication channel between two machines. It
follows a user command Transmission Control Protocol/Internet Protocol (TCP/IP)
networking protocol for creating remote sessions.

26. SNMP: - Simple Network Management Protocol

It is a networking protocol used for the management and monitoring of network-connected
devices in Internet Protocol networks.
27. GUT (Graphical User Interface) / CLT (Command Line Interface)
28. Agent:-
29. RDP: - Remote Desktop Protocol
30. Vulnerability:-
* Weakness
* Threats
* Risk
40. NTP:- Network Time Protocol
It is used by hundreds of millions of computers and devices to synchronize their clocks over
the Internet. If your computer sets its own clock, it likely uses NTP.

41. TTP: - Tactics, Techniques, and Procedures

It is a key concept in cyber security and threat intelligence. The purpose is to identify patterns
of behavior which can be used to defend against specific strategies and threat vectors used by
Hackers
42. HTTP:- Hyper Text Transfer Protocol
HTTP protocol converts the code from HTML, Java, etc. to a user understandable
phase.

‘HTTPS’ is secure than

‘HTTP’

43. SSL: - Secure Sockets Layer (old version)

It is a standard security technology for establishing an encrypted link between a server and a
client.
44. TLS: - Transport Layer Security (New version)
It is a protocol used by applications to communicate securely across a network, preventing
tampering with and eavesdropping on email, web browsing, messaging, and other protocols.

45. SIEM: - Security Information and Event Management

It is a solution that helps organizations detect, analyze, and respond to security threats before
they harm business operations.
46. Log: - A log is a record of the events occurring within an organization's systems and
network.
47. Log Source: - A log source is a data source that creates an event log.
48. Syslog: - Syslog is an IETF RFC 5424 standard protocol for computer logging and
collection that is popular in Unix-like systems including servers, networking equipment and
IoT devices.
48. CERT:- Computer Emergency Response Team
CSIRT: - Cyber Security Incident Response Team
SIRT: - Security Incident Response Team
SOC: - Security Operation Center

49. NIC: - Network Interface Card

It giver the MAC address
50. * MTTD: - Mean Time To Detect
MTTD, reflects the amount of time it takes your team to discover a potential security
incident.
 * MTTI: - Mean Time To Identify
MTTI, reflects the amount of time it takes your team to Identify a potential security
incident

* MTTR: - Mean Time To Respond

MTTI, reflects the amount of time it takes your team to Respond a potential security
incident
51. SOP: - Standard Operating Procedures
It is a set of written instructions that describes the step-by-step process that must be taken
to properly perform a routine activity.
52. RCA: - Root Cause Analysis
It is the process of discovering the origin/root cause for security events to identify
vulnerabilities and deploy strategic measures to effectively contain and limit the impact
within pre-defined risk tolerance.
53. SLA: - Service Level Agreement
54. MITM: - Men In The Middle Attack
 Networking

OSI: - Open Systems Interconnection

Layer Name Data Format Attacks What happens Operations
1 Application layer Data OWASP / SANS / Web browsing, Web browsing,
MITRE Messaging, Messaging-(POP)E- mail,
Remote desktop, Virtual terminal- (RDP),
etc. (User) File transfer->(Connect
another laptop using
anydesk or etc)
2 Presentation layer Data(Encrypt) OWASP / SANS / Secure Encryption Encryptions &
MITRE Decryptions
3 Session layer Data(Encrypt) OWASP / SANS / Session Session Management
MITRE , Poodle, | -> Authentication
Heartbleed, Sweet | -> Authorization
32
4 Transport layer Segments / Flooding Segmentation, Error
Datagrams control, Flow control
5 Network layer Packets Flooding, Spoofing Communicating Transfer Packets
with IP
6 Data link layer Frams Flooding, Spoofing Communicating Time frame
with MAC
7 Physical layer Bits Physical

Transport Layer

TCP(Transmission Control Protocol) UDP(User Datagram Protocol)

1. Done in layer-4 (Transport layer) 1. Done in layer-4 (Transport layer)
2. Initiation Signal (Start & Stop) 2.No Initiation
3.Acknowledge / Feed back 3. No acknowledge
4.Data is in Segments 4.Data is in Data grams
5.Connection Oriented slow 5.Connection Oriented fast
Ex:- Normal websites(YouTube, Amazon ) Ex:- Live TV shows
3 way hand shake, 2 way hand shake & 5 way hand shake

I.P address
* MAC address  No change
* MAC  I.P address  Logical address
* I.P address  Version 4  32 bit
 Version 6  128 bit

* Public IP
I.P address
Private IP
Classes:-
C-A: - 0.0.0.0 – 126.225.225.225
C-B: - 128.0.0.0 – 191.225.225.225
C-C: - 192.0.0.0 – 223.225.225.225
C-D: - 224.0.0.0 – 239.225.225.225
C-E: - 240.0.0.0 – 225.225.225.225
Private (I.P):-
 10.0.0.0 – 10.255.255.255
 172.16.0.0 – 172.16.255.255
 192.168.0.0 – 192.168.255.255

Ports & Protocols

Names Full Forms Port Number
FTP File Transfer Protocol 20&21
SSH Secure Shell 22
Telnet 23
SMTP Simple Mail Transfer Protocol 25
DNS Domain Name System 53
DHCP Dynamic Host Configuration Protocol 67&68
HTTP Hyper Text Transfer Protocol 80
HTTPS 443
RDP Remote Desktop Protocol 3389
LDAP Active Directory 389
LDAPS 636
POP Post Office Protocol 110
NTP Network Time Protocol 123
VPN Virtual Private Network (IP Security) 500
ICMP Internet Control Message Access Protocol No Port Number
(Ping Command)
SMB Server Message Block 445

DHCP - Server
(Dynamic Host Configuration Protocol)
 DHCP server allocates IP to the host automatically
 DHCP server is using DORA process
 D  Discover
 O  Offer
 R  Request
 A  Acknowledge
 DNS - Server
(Domain Name System)
 DNS server converts Domain Name to IP address
 First the DNS server checks whether the IP of that particular domain
name is present in the cache memory or not , if it contains the domain
name then DNS server returns the IP or else it ask the Authentication
Server for the IP then the DNS stores in the cache memory and then it
returns the IP to the laptop

DNS Records
 A Record:- Converts:- Domain  IP address(IPv4)
 AAAA Record:- Converts:- Domain  IP address(IPv6)
 PTR Record:- (reverse pointer) Converts:- IP address  Domain
 Cname Record:- Example:- amazon.com  http://www.amazon.com.in

Name Server Record

Name server record indicates which DNS server is authoritative for that
domain
Example:-
Yahoo.com  USA
Yahoo.co.in  India
Yahoo.co.uk  UK

SMTP Server
(Simple Mail Transfer Protocol)
SMTP checks or verifies SPK, DMARC, DKIM of mails, when a mail is sent
from one user to another.
SPK: - Sender Policy Framework
DMARC: - Domain Message Authentication Reporting & Conformance
DKIM: - Domain Keys Identified Mail
 TCP/IP layer

Commands
1. Ping: - The Ping tool is used to test whether a particular host is reachable
across an IP network. A Ping measures the time it takes for packets to be
sent from the local host to a destination computer and back. The Ping tool
measures and records the round-trip time of the packet and any losses
along the way.

2. getmac: - getmac is a Windows command used to display the Media

Access Control (MAC) addresses for each network adapter in the
computer
3. ipconfig /all:- To show all the information about your network adapter,
you will need to use the /all parameter. This is the MAC address of your
network adapter.

4. nslookup: - This command is used to see the IP address of websetes.

5. netstat: -The netstat command is used to show network status.
Traditionally, it is used more for problem determination than for
performance measurement. However, the netstat command can be used to
determine the amount of traffic on the network to ascertain whether
performance problems are due to network congestion.
6. tracert: - The Traceroute command (tracert) is a utility designed for
displaying the time it takes for a packet of information to travel between a
local computer and a destination IP address or domain.

7. pathping: - The pathping command is a command-line utility tool in

Windows operating systems. It is commonly used to troubleshoot
network issues, particularly the ones related to latency and network
performance. It is considered an alternative to tracert and it combines
ping and tracert commands.
 Cyber kill chain process:-
The step by step process by which the hacker hacks a system is called as
Cyber Kill Chain Process.

Phases of cyber kill chain process:-

1. Reconnaissance:- (selection of target)
Knowing the vulnerabilities (or) knowing the security of a system to
target (or) attack.

2. Weaponization: - In this step, the intruder creates a malware weapon like

a virus, worm or such in order to exploit the vulnerabilities of the target.
Depending on the target and the purpose of the attacker, this malware can
exploit new, undetected vulnerabilities (also known as the zero-day
exploits) or it can focus on a combination of different vulnerabilities.
(Note:- Here malware can be in the form of PDF, .EXE, .JPG, .JPEG, etc)

3. Transport: - This step involves transmitting the weapon to the target.

The intruder / attacker can employ different methods like USB drives, e-
mail attachments and websites for this purpose.

4. Exploitation: - In this step, the malware starts the action. The program
code of the malware is triggered to exploit the target’s
vulnerability/vulnerabilities.
(or)
Identifying the weakness .

5. Installation: - In this step, the malware installs an access point for the
intruder / attacker. This access point is also known as the backdoor.

6. Command and Control: - The malware gives the intruder / attacker

access in the network/system.

7. Actions on Objective: - Once the attacker / intruder gains persistent

access, they finally take action to fullfil their purpose, such as encryption
for ransom, data exfiltration or even data destruction
 Attacks
Attacks are classified into: -
1. Malware Category
2. Phishing Category
3. Spoofing Category
4. Authentication Category
5. Dos, D Dos Category

1. Malware Category: -
 Virus: - Virus is a unwanted software which self-replicate itself.

 Worm: - Self replication in a Network.

 Backdoor attack: - When a hacked enters a system from a

backdoor then all the authentications will be disabled for him.

 Trojan: - A Trojan Horse Virus is a type of malware that

downloads onto a computer disguised as a legitimate program. The
delivery method typically sees an attacker use social engineering to
hide malicious code within legitimate software to try and gain
users' system access with their software.

 Ransomware:- Ransomware is a malware designed to deny a user

or organization access to files on their computer. By encrypting
these files and demanding a ransom payment for the decryption
key, cyberattackers place organizations in a position where paying
the ransom is the easiest and cheapest way to regain access to their
files.
 Keylogger: - A keylogger or keystroke logger/keyboard capturing
is a form of malware or hardware that keeps track of and records
your keystrokes as you type. It takes the information and sends it to
a hacker using a command-and-control (C&C) server.

 Adware: - The hacker enters into the system by using

advertisements (AD’s).

 Rootkit: - The malware tries to get access to the admin (or) root.

 Logic Bomb: - A logic bomb is a piece of code intentionally

inserted into a software system that will set off a malicious
function when specified conditions are met.

 Zero Day:- A Zero Day attack refers to a cyber-attack that exploits

a software vulnerability that is previously unknown to the software
vendor or the public. In other words, the attack occurs on the same
day the vulnerability is discovered or "zero days" after its
identification, leaving no time for the software developers to
develop and release a patch to fix it.

 Mimikatz: -(works only on windows)

This is a malware which stores all the credentials of windows
operating system.

 Mitigation: -

 RBAC: - (Role-based access control)

It is a mechanism that restricts system access.
2. Phishing Category: -
Phishing is categorized into:-
 Spear Phishing
 Whaling
 Smishing
 Vishing

 Spear Phishing: - Spear phishing is an email or electronic

communications scam targeted towards a specific individual,
organization or business.
Malware is sent in the form of file (or) url. This is sent to everyone.

 Whaling : - Whaling is a highly targeted phishing attack - aimed at

senior executives - masquerading as a legitimate email.

 Vishing : - Vishing is short for "voice phishing," which involves

defrauding people over the phone, enticing them to divulge
sensitive information.

 Smishing: - Smishing is a social engineering attack that uses fake

mobile text messages to trick people into downloading malware,
sharing sensitive information, or sending money to cybercriminals.

3. Spoofing Category:-
Spoofing is the act of disguising a communication from an unknown
source as being from a known, trusted source.
Spoofing is categorized into: -
 IP Spoofing
 E-mail Spoofing
 ARP Spoofing
 DNS Spoofing

 IP Spoofing: - Internet Protocol (IP) spoofing is a type of

malicious attack where the threat actor hides the true source of IP
packets to make it difficult to know where they came from.
 E-mail Spoofing: - E-mail spoofing is a threat that involves
sending email messages with a fake sender address.
 ARP Spoofing: - (Address Resolution Protocol)
Address Resolution Protocol (ARP) spoofing or ARP poisoning is
a form of spoofing attack that hackers use to intercept data.
(Note: - It is a protocol or procedure that connects ever-changing
IP address to a fixed physical machine address, also known as a
 media access control (MAC) address, in a local-area network
(LAN).)
ARP Table
IP Address Host MAC
16.56.78.15 XYZ 17AZP6Q

 DNS Spoofing: - DNS (Domain Name Service) spoofing is the

process of poisoning entries on a DNS server to redirect a targeted
user to a malicious website under attacker control.

4. Authentication Category: -
Authentication and authorization attacks aim at gaining access to
resources without the correct credentials.
 Dictionary Attack: - A type of brute force attack where an
intruder attempts to crack a password-protected security system
with a “dictionary list” of common words and phrases used by
businesses and individuals.

 Brute Force Attack: - A brute force attack is a hacking method

that uses trial and error to crack passwords, login credentials, and
encryption keys.

 Password Spray Attack: - The basics of a password spraying

attack involve a threat actor using a single common password
against multiple accounts on the same application.
(Or)
Using one password on multiple User ID’s.

5. Dos Attack: - A Denial-of-Service (DoS) attack is an attack meant to

shut down a machine or network, making it inaccessible to its intended
users. This is done by Flooding the SYN.
(Note: - To know what is “SYN” go to page 2)

6. DDos Attack: - DDoS attack means "Distributed Denial-of-Service

(DDoS) attack" and it is a cybercrime in which the attacker floods a
server with internet traffic to prevent users from accessing connected
online services and sites.
 Other Attacks
 Sweet32
 Heart Bleed
 Poodle Attack
 Golden Ticket
 Silver Ticket

 Sweet32: - When we use HTTP and want to secure it (HTTPS) then we

use SSL/TLS certificates and if any user uses old versions of SSL/TLS
certificates then the hacker can hack or attack the server and this attack is
known as Sweet32.

 Heart Bleed: - Other than SSL/TLS there are 18 certificates and the
attack on those 18 certificates is known as HeartBlead Attack.

 Poodle Attack: - (Padding Oracle on Downgraded Legacy Encryption)

the attacker will intercept the connection between your browser and a
web server. They will then force your browser to downgrade the server's
security protocol to SSL 3.0 from TLS 1.0 to steal your confidential
information.

 Golden Ticket: - A Golden Ticket attack is a malicious cybersecurity

attack in which a threat actor attempts to gain almost unlimited access to
an organization's domain (devices, files, domain controllers, etc.) by
accessing user data stored in Microsoft Active Directory (AD)

 Silver Ticket: - When a hacker gets access to only a few

applications then it is called silver ticket.
 End Point Security
 EDR Tool
 DLP Tool
 FIM Tool
 Encryption Tool

 EDR Tool: - (Endpoint Detection and Response)

EDR is also known as the Next Generation Antivirus.
EDR is used to detect Malware.
 Implementation of EDR Tool
When a EDR is installed in a server then the EDR tool is pushed
into all the systems (Laptops, PC) this method is known as Clint
Server Method and the process is known as Sever Center
Configuration Management (SCCM)

Malware is sent through a file

 How EDR Tool Works: -

EDR Tool matches the file details with the data base of previous
attacks and if EDR finds a match with the data base then EDR tool
gives a warning.
(Note: - Virustotal is a open source data bace which help us to scan a file
(or) URL for a virus)

EDR Tool can block a file by Hash value but a Antivirus cannot block a
file it can only detect the virus.

 DLP Tool: - It is used to safe guard the data.

The Data is classified into: -
1. Office Data
2. Personal Data

 Office Data: -

I. Internal Data: - The data which can only be accessed by the

employs of the company is known as Internal Data.

II. Public Data: - The data which can be accessed by anyone is

known as Public Data.
 III. Restricted Data: - The Data which can only be accessed by
a very few people in the company is known as Restricted
Data.

 Personal Data:
-
I. PII: - Personal Identifiable Information

II. PHI: - Protected health information

 FIM Tool: - File integrity monitoring (FIM), sometimes referred to as

file integrity management, is a security process that monitors and
analyses the integrity of critical assets, including file systems, directories,
databases, network devices, the operating system (OS), OS components
and software applications for signs of tampering or corruption, which
may be an indication of a cyber-attack.
 Encryption Tool: - (Data at rest)

Network Security
 DPC: - Defense In Depth Control
Defense in depth is a strategy that leverages multiple security measures to
protect an organization's assets. The thinking is that if one line of defense
is compromised, additional layers exist as a backup to ensure that threats
are stopped along the way

 NGFW: - It monitors inborn and outborn traffic.

Features: -
1. Packet Filtering
2. Stateful Inspection (Deep packet Analysis)
3. Application Gateway
4. IP filtering
5. Malware Scan

 Packet Filtering: -
Packet filtering is a firewall technique used to control network
access by monitoring outgoing and incoming packets and allowing
them to pass or halt based on the source and destination Internet
Protocol (IP) addresses, protocols and ports.
 Stateful Inspection(Deep Packet Analysis): -
Stateful inspection, also known as dynamic packet filtering, is a
firewall technology that monitors the state of active connections
and uses this information to determine which network packets to
allow through the firewall
 TCP/IP layers: -
 Application (4th layer)
 Transport (3rd layer)
 Internet (2nd layer)
 Network Interface (1st layer)

i. Application Layer: - check for DNS, HTTPS

ii. Transport Layer: - check for 3 way hand shake, Flag
iii. Internet Layer: - Check for Packet Dropping and
Packet retransfer

 Application Gateway: -
An application gateway is a program that serves as a firewall
proxy. It runs between computers in a network to tighten security.
It is responsible for filtering incoming traffic that contains network
application data. To illustrate, think of a program that wants to
connect with another

 IP Filtering: - IP filtering lets you control what IP traffic will be

allowed into and out of your network. Basically, it protects your
network by filtering packets according to the rules that you define.

 Malware Scan: - Malware Scanning is the process of detecting

malware in the computer to eliminate it.
 High Availability
The data should be available at every time even when the company is under a
cyber-attack. To make the data high Available two servers are used primary
server and secondary server.

 Basic conditions: -
1. Same model number
2. Same frame ware(OS)
3. Same inter face connections.

 Upgrade process: -
i. Never upgrade both the servers at the same time.
ii. Break the connection between primary & secondary server.
iii. Make the primary server to secondary server and secondary server
to primary server.
Primary server  Secondary Server
Secondary Server  Primary Server
iv. Upgrade the current secondary server.
v. Check whether it is working properly or not for two days.
vi. Make the secondary server to primary server and primary server to
secondary server.
Secondary server  Primary Server
Primary Server  Secondary Server
vii. Upgrade the secondary server.
 VPN
VPN is a private network via public network.
(Or)
VPN is a private Network between end user and office location via public
network.
 Types of VPN: -
1. Site to site VPN
2. Remote VPN

 Site to site VPN: - A site-to-site virtual private network (VPN) refers to a

connection set up between multiple networks. This could be a corporate
network where multiple offices work in conjunction with each other or a
branch office network with a central office and multiple branch locations

 Remote VPN: - A remote access virtual private network (VPN) enables

users to connect to a private network remotely using a VPN. Employees
who need to access their company's network from off-site locations or
people who want to securely connect to a private network from a public
area frequently use this kind of VPN.
 VPN Components: -
1. VPN Client.
2. VPN portal.
3. VPN gateway.

 VPN Client: - A VPN client is software (program, app) that

works with the VPN server to establish a secure connection
between your device and the server. In corporations and
other large organizations, a VPN client might be a hardware
device that carries out the same task. When a user click on
VPN then it ask for User ID and Password and If you enter it
correctly then it goes into the next step that is VPN portal.

 VPN Portal: - A virtual private network, or VPN, is an

encrypted connection over the Internet from a device to a
network. The encrypted connection helps ensure that
sensitive data is safely transmitted. It prevents unauthorized
people from eavesdropping on the traffic and allows the user
to conduct work remotely

 VPN Gateway: - A VPN gateway is a type of virtual

network gateway. A virtual network gateway is composed of
two or more Azure-managed VMs that are automatically
configured and deployed to a specific subnet you create
 called the GatewaySubnet. The gateway VMs contain
routing tables and run specific gateway services.

Proxy
A proxy server is a system or router that provides a gateway between users and
the internet. Therefore, it helps prevent cyber attackers from entering a private
network. It is a server, referred to as an “intermediary” because it goes between
end-users and the web pages they visit online.

 Proxies are of two types

1. Forward Proxy
2. Reverse Proxy

 Forward Proxy: - A forward proxy is an intermediary that sits between

one or more user devices and the internet. Instead of validating a client
request and sending it directly to a web server, a forward proxy server
evaluates the request, takes any needed actions, and routes the request to
the destination on the client's behalf
 Reverse Proxy: - A reverse proxy server is a type of proxy server that
typically sits behind the firewall in a private network and directs client
requests to the appropriate backend server. A reverse proxy provides an
additional level of abstraction and control to ensure the smooth flow of
network traffic between clients and servers.

NIDS/NIPS
It is used to identify command and control.
What is NGFW?
NGFW can do the work of Firewall, Proxy, NIDS &NIPS

Application Security

Application development  Software Development Life Cycle (SDLC).

Phases Development Security
1 Requirement -
2 Design Threat modeling (Microsoft stride)
3 Code(Development) SAST(Static Application Security Test)
TPS(Third Party Scan)
4 Testing Vulnerability Assessment and Pen
Testing
5 Production -
 Cryptography
Cryptography is the process of hiding or coding information so that only the
person a message was intended for can read it. The art of cryptography has been
used to code messages for thousands of years and continues to be used in bank
cards, computer passwords, and ecommerce.
Cryptography deals with Encryption and Decryption.
Note: - Encryption at End point security is for data at rest and Encryption in
cryptography is for Data at transit

Cryptography is done using two keys: - public key and private key

Types of cryptography: -
1. Symmetric: - For Encryption and Decryption we use the same key.
2. Asymmetric: - For Encryption and Decryption we use Different keys.

OWASP – top 10
1. Broken Access Control
2. Cryptography Failures
3. Injection Flaws
4. Insecure Design
5. Security Miss-configuration
6. Vulnerability Outdated Component
7. Authentication Failures
8. Software Data Integrity
9. Security Logging and Monitoring
10. Server Side Request Forgery

I. Broken Access Control: - Breaking the access of a admin by logging

into a user account.
II. Cryptography Failures: - If encryption is done using weak cipher key
then the attack will take place.
III. Injection Flaws: - In this the attacker injects a malicious code into the
application.
IV. Insecure Design: - Whenever we Develop an application we follow
SDLC and in that we have to Design and if the design has the lack of
security controls being integrated into the application throughout the
development cycle then this attack takes place.
V. Security Miss-Configuration: - Security misconfigurations are security
controls that are inaccurately configured or left insecure, putting your
systems and data at risk. Basically, any poorly documented configuration
 changes, default settings, or a technical issue across any component in
your endpoints could lead to a misconfiguration.
VI. Vulnerability Outdated Component: - When we are developing an
application we will use some third party software’s and if that third party
software is outdated then this attack takes place.
VII. Authentication Failures: - . The failure of a system to identify and/or
authenticate leaves the application susceptible to attacks and leaves user
accounts/data at risk.
VIII. Software Data Integrity: - Data integrity is the overall accuracy,
completeness, and consistency of data. Data integrity also refers to the
safety of data in regard to regulatory compliance — such as GDPR
compliance — and security. It is maintained by a collection of processes,
rules, and standards implemented during the design phase.
(Roal Based Access Control (RBAC)).
IX. Security Logging and Monitoring (Team): - Logging & monitoring
functions provide administrators and security teams with raw traffic data
that help detect potential threats by identifying unusual patterns. These
mechanisms are basic security pillars that form the foundation of a
robustly administered security framework.
X. Server Side Request Forgery: - A Server-Side Request Forgery attack
(SSRF) is a security vulnerability in which a hacker tricks a server into
accessing unintended resources on his behalf. An SSRF attack can lead to
sensitive information being leaked or the attacker gaining control of other
systems.

Framework that followed By SOC

ITIL Framework: - (Information Technology Infrastructure Library)
 Incident Life Cycle: -
I. Preparation (SOC room)
II. Identification (How did the attack take place)
III. Contamination (Quarantining the system)
IV. Eradication (Removing the virus)
V. Recovery (Rejoining the system into the network)
VI. Lessons Learned
 SIEM Tool
Cyber Security majorly works on SIEM tool (Security Information Event
Management).

Log: - Computer recorded activity.

 Log Collection
 Log Processing
 Log Analysis
 Log Monitoring
 Alert Generation  Analysis  SOC Team

SIEM Tool  LOG  General recorded value

SIEM Tool  LOG  Abnormal Changes (Even)  Alert (It the log Impacts
Negatively on CIA)

Log Sources
 In Networking: -
1. Router
2. Switch
3. Load Balancer
4. LAN
5. WAN

 In Security: - EDR, DLP, FIM, IDS, IPS, Encryption, WAF, Proxy, FW

 Application: -
1. App server
2. Web Server
3. Data Base Server
4. Cloud Server

 Infrastructure: - DNS, DHCP, SMTP, DC, AD.

 Windows (Logs): -
Event Viewer:-
1. Audit log
2. Application log
3. System log
4. Setup log
 Triaging
To triage means to assign a level of importance or urgency to incidents, which
then determines the order in which they will be investigated.
IOC: - Indicator of Compromise.
IOA: - Indicator of Attacker.

 When you click on “Alert” you will get the following

1. Time Stamp
2. Event ID
3. Host Name
4. IP Address
5. Source Port
6. Destination Port
7. Attachments

Windows Even ID’s

(The bellow are the Windows Event ID’ you need to remember at least 4)
Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
4618 N/A High A monitored security event pattern has occurred.
A replay attack was detected. May be a harmless false
4649 N/A High
positive due to misconfiguration error.
4719 612 High System audit policy was changed.
4765 N/A High SID History was added to an account.
4766 N/A High An attempt to add SID History to an account failed.
An attempt was made to set the Directory Services
4794 N/A High
Restore Mode.
4897 801 High Role separation enabled:
4964 N/A High Special groups have been assigned to a new logon.
A security setting was updated on the OCSP Responder
5124 N/A High
Service
Medium to
N/A 550 Possible denial-of-service (DoS) attack
High
Medium to
1102 517 The audit log was cleared
High
Administrator recovered system from
CrashOnAuditFail. Users who are not administrators
4621 N/A Medium
will now be allowed to log on. Some auditable activity
might not have been recorded.
4675 N/A Medium SIDs were filtered.
4692 N/A Medium Backup of data protection master key was attempted.
4693 N/A Medium Recovery of data protection master key was attempted.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
4706 610 Medium A new trust was created to a domain.
4713 617 Medium Kerberos policy was changed.
4714 618 Medium Encrypted data recovery policy was changed.
4715 N/A Medium The audit policy (SACL) on an object was changed.
4716 620 Medium Trusted domain information was modified.
4724 628 Medium An attempt was made to reset an account's password.
4727 631 Medium A security-enabled global group was created.
4735 639 Medium A security-enabled local group was changed.
4737 641 Medium A security-enabled global group was changed.
4739 643 Medium Domain Policy was changed.
4754 658 Medium A security-enabled universal group was created.
4755 659 Medium A security-enabled universal group was changed.
4764 667 Medium A security-disabled group was deleted
4764 668 Medium A group's type was changed.
The ACL was set on accounts which are members of
4780 684 Medium
administrators groups.
RPC detected an integrity violation while decrypting an
4816 N/A Medium
incoming message.
4865 N/A Medium A trusted forest information entry was added.
4866 N/A Medium A trusted forest information entry was removed.
4867 N/A Medium A trusted forest information entry was modified.
The certificate manager denied a pending certificate
4868 772 Medium
request.
4870 774 Medium Certificate Services revoked a certificate.
The security permissions for Certificate Services
4882 786 Medium
changed.
4885 789 Medium The audit filter for Certificate Services changed.
The certificate manager settings for Certificate Services
4890 794 Medium
changed.
4892 796 Medium A property of Certificate Services changed.
One or more rows have been deleted from the certificate
4896 800 Medium
database.
4906 N/A Medium The CrashOnAuditFail value has changed.
4907 N/A Medium Auditing settings on object were changed.
4908 N/A Medium Special Groups Logon table modified.
4912 807 Medium Per User Audit Policy was changed.
IPsec dropped an inbound packet that failed an integrity
check. If this problem persists, it could indicate a
4960 N/A Medium
network issue or that packets are being modified in
transit to this computer. Verify that the packets sent
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
from the remote computer are the same as those received
by this computer. This error might also indicate
interoperability problems with other IPsec
implementations.
IPsec dropped an inbound packet that failed a replay
4961 N/A Medium check. If this problem persists, it could indicate a replay
attack against this computer.
IPsec dropped an inbound packet that failed a replay
4962 N/A Medium check. The inbound packet had too low a sequence
number to ensure it was not a replay.
IPsec dropped an inbound clear text packet that should
have been secured. This is usually due to the remote
computer changing its IPsec policy without informing
4963 N/A Medium
this computer. This could also be a spoofing attack
attempt.

IPsec received a packet from a remote computer with an

incorrect Security Parameter Index (SPI). This is usually
caused by malfunctioning hardware that is corrupting
packets. If these errors persist, verify that the packets
sent from the remote computer are the same as those
4965 N/A Medium
received by this computer. This error may also indicate
interoperability problems with other IPsec
implementations. In that case, if connectivity is not
impeded, then these events can be ignored.

During Main Mode negotiation, IPsec received an

invalid negotiation packet. If this problem persists, it
4976 N/A Medium could indicate a network issue or an attempt to modify
or replay this negotiation.

During Quick Mode negotiation, IPsec received an

invalid negotiation packet. If this problem persists, it
4977 N/A Medium could indicate a network issue or an attempt to modify
or replay this negotiation.

During Extended Mode negotiation, IPsec received an

invalid negotiation packet. If this problem persists, it
4978 N/A Medium could indicate a network issue or an attempt to modify
or replay this negotiation.

An IPsec Extended Mode negotiation failed. The

corresponding Main Mode security association has been
4983 N/A Medium
deleted.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
An IPsec Extended Mode negotiation failed. The
4984 N/A Medium corresponding Main Mode security association has been
deleted.
The Windows Firewall Service was unable to retrieve
5027 N/A Medium the security policy from the local storage. The service
will continue enforcing the current policy.
The Windows Firewall Service was unable to parse the
5028 N/A Medium new security policy. The service will continue with
currently enforced policy.
The Windows Firewall Service failed to initialize the
5029 N/A Medium driver. The service will continue to enforce the current
policy.
5030 N/A Medium The Windows Firewall Service failed to start.
5035 N/A Medium The Windows Firewall Driver failed to start.
The Windows Firewall Driver detected critical runtime
5037 N/A Medium
error. Terminating.
Code integrity determined that the image hash of a file is
not valid. The file could be corrupt due to unauthorized
5038 N/A Medium
modification or the invalid hash could indicate a
potential disk device error.
5120 N/A Medium OCSP Responder Service Started
5121 N/A Medium OCSP Responder Service Stopped
A configuration entry changed in OCSP Responder
5122 N/A Medium
Service
A configuration entry changed in OCSP Responder
5123 N/A Medium
Service
5376 N/A Medium Credential Manager credentials were backed up.
Credential Manager credentials were restored from a
5377 N/A Medium
backup.
An IPsec negotiation with a remote computer failed
5453 N/A Medium because the IKE and AuthIP IPsec Keying Modules
(IKEEXT) service is not started.
IPsec Services failed to get the complete list of network
interfaces on the computer. This poses a potential
security risk because some of the network interfaces
5480 N/A Medium
may not get the protection provided by the applied IPsec
filters. Use the IP Security Monitor snap-in to diagnose
the problem.
IPsec Services failed to initialize RPC server. IPsec
5483 N/A Medium
Services could not be started.
IPsec Services has experienced a critical failure and has
5484 N/A Medium
been shut down. The shutdown of IPsec Services can put
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
the computer at greater risk of network attack or expose
the computer to potential security risks.
IPsec Services failed to process some IPsec filters on a
plug-and-play event for network interfaces. This poses a
potential security risk because some of the network
5485 N/A Medium
interfaces may not get the protection provided by the
applied IPsec filters. Use the IP Security Monitor snap-
in to diagnose the problem.
The Netlogon service denied a vulnerable Netlogon
5827 N/A Medium
secure channel connection from a machine account.
The Netlogon service denied a vulnerable Netlogon
5828 N/A Medium
secure channel connection using a trust account.
One or more errors occurred while processing security
6145 N/A Medium
policy in the Group Policy objects.
6273 N/A Medium Network Policy Server denied access to a user.
6274 N/A Medium Network Policy Server discarded the request for a user.
Network Policy Server discarded the accounting request
6275 N/A Medium
for a user.
6276 N/A Medium Network Policy Server quarantined a user.
Network Policy Server granted access to a user but put it
6277 N/A Medium on probation because the host did not meet the defined
health policy.
Network Policy Server granted full access to a user
6278 N/A Medium
because the host met the defined health policy.
Network Policy Server locked the user account due to
6279 N/A Medium
repeated failed authentication attempts.
6280 N/A Medium Network Policy Server unlocked the user account.
- 640 Medium General account database changed
- 619 Medium Quality of Service Policy changed
24586 N/A Medium An error was encountered converting volume
An attempt to automatically restart conversion on
24592 N/A Medium
volume %2 failed.
Metadata write: Volume %2 returning errors while
24593 N/A Medium trying to modify metadata. If failures continue, decrypt
volume
Metadata rebuild: An attempt to write a copy of
24594 N/A Medium metadata on volume %2 failed and may appear as disk
corruption. If failures continue, decrypt volume.
4608 512 Low Windows is starting up.
4609 513 Low Windows is shutting down.
An authentication package has been loaded by the Local
4610 514 Low
Security Authority.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
A trusted logon process has been registered with the
4611 515 Low
Local Security Authority.
Internal resources allocated for the queuing of audit
4612 516 Low messages have been exhausted, leading to the loss of
some audits.
A notification package has been loaded by the Security
4614 518 Low
Account Manager.
4615 519 Low Invalid use of LPC port.
4616 520 Low The system time was changed.
A security package has been loaded by the Local
4622 N/A Low
Security Authority.
4624 528,540 Low An account was successfully logged on.
529-
4625 Low An account failed to log on.
537,539
4634 538 Low An account was logged off.
4646 N/A Low IKE DoS-prevention mode started.
4647 551 Low User initiated logoff.
4648 552 Low A logon was attempted using explicit credentials.
An IPsec Main Mode security association was
4650 N/A Low established. Extended Mode was not enabled. Certificate
authentication was not used.
An IPsec Main Mode security association was
4651 N/A Low established. Extended Mode was not enabled. A
certificate was used for authentication.
4652 N/A Low An IPsec Main Mode negotiation failed.
4653 N/A Low An IPsec Main Mode negotiation failed.
4654 N/A Low An IPsec Quick Mode negotiation failed.
4655 N/A Low An IPsec Main Mode security association ended.
4656 560 Low A handle to an object was requested.
4657 567 Low A registry value was modified.
4658 562 Low The handle to an object was closed.
A handle to an object was requested with intent to
4659 N/A Low
delete.
4660 564 Low An object was deleted.
4661 565 Low A handle to an object was requested.
4662 566 Low An operation was performed on an object.
4663 567 Low An attempt was made to access an object.
4664 N/A Low An attempt was made to create a hard link.
An attempt was made to create an application client
4665 N/A Low
context.
4666 N/A Low An application attempted an operation:
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
4667 N/A Low An application client context was deleted.
4668 N/A Low An application was initialized.
4670 N/A Low Permissions on an object were changed.
An application attempted to access a blocked ordinal
4671 N/A Low
through the TBS.
4672 576 Low Special privileges assigned to new logon.
4673 577 Low A privileged service was called.
4674 578 Low An operation was attempted on a privileged object.
4688 592 Low A new process has been created.
4689 593 Low A process has exited.
4690 594 Low An attempt was made to duplicate a handle to an object.
4691 595 Low Indirect access to an object was requested.
4694 N/A Low Protection of auditable protected data was attempted.
4695 N/A Low Unprotection of auditable protected data was attempted.
4696 600 Low A primary token was assigned to process.
4697 601 Low Attempt to install a service
4698 602 Low A scheduled task was created.
4699 602 Low A scheduled task was deleted.
4700 602 Low A scheduled task was enabled.
4701 602 Low A scheduled task was disabled.
4702 602 Low A scheduled task was updated.
4704 608 Low A user right was assigned.
4705 609 Low A user right was removed.
4707 611 Low A trust to a domain was removed.
4709 N/A Low IPsec Services was started.
4710 N/A Low IPsec Services was disabled.
May contain any one of the following: PAStore Engine
applied locally cached copy of Active Directory storage
IPsec policy on the computer. PAStore Engine applied
Active Directory storage IPsec policy on the computer.
PAStore Engine applied local registry storage IPsec
policy on the computer. PAStore Engine failed to apply
locally cached copy of Active Directory storage IPsec
4711 N/A Low policy on the computer. PAStore Engine failed to apply
Active Directory storage IPsec policy on the computer.
PAStore Engine failed to apply local registry storage
IPsec policy on the computer. PAStore Engine failed to
apply some rules of the active IPsec policy on the
computer. PAStore Engine failed to load directory
storage IPsec policy on the computer. PAStore Engine
loaded directory storage IPsec policy on the computer.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
PAStore Engine failed to load local storage IPsec policy
on the computer. PAStore Engine loaded local storage
IPsec policy on the computer.PAStore Engine polled for
changes to the active IPsec policy and detected no
changes.
4712 N/A Low IPsec Services encountered a potentially serious failure.
4717 621 Low System security access was granted to an account.
4718 622 Low System security access was removed from an account.
4720 624 Low A user account was created.
4722 626 Low A user account was enabled.
4723 627 Low An attempt was made to change an account's password.
4725 629 Low A user account was disabled.
4726 630 Low A user account was deleted.
A member was added to a security-enabled global
4728 632 Low
group.
A member was removed from a security-enabled global
4729 633 Low
group.
4730 634 Low A security-enabled global group was deleted.
4731 635 Low A security-enabled local group was created.
4732 636 Low A member was added to a security-enabled local group.
A member was removed from a security-enabled local
4733 637 Low
group.
4734 638 Low A security-enabled local group was deleted.
4738 642 Low A user account was changed.
4740 644 Low A user account was locked out.
4741 645 Low A computer account was changed.
4742 646 Low A computer account was changed.
4743 647 Low A computer account was deleted.
4744 648 Low A security-disabled local group was created.
4745 649 Low A security-disabled local group was changed.
4746 650 Low A member was added to a security-disabled local group.
A member was removed from a security-disabled local
4747 651 Low
group.
4748 652 Low A security-disabled local group was deleted.
4749 653 Low A security-disabled global group was created.
4750 654 Low A security-disabled global group was changed.
A member was added to a security-disabled global
4751 655 Low
group.
A member was removed from a security-disabled global
4752 656 Low
group.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
4753 657 Low A security-disabled global group was deleted.
A member was added to a security-enabled universal
4756 660 Low
group.
A member was removed from a security-enabled
4757 661 Low
universal group.
4758 662 Low A security-enabled universal group was deleted.
4759 663 Low A security-disabled universal group was created.
4760 664 Low A security-disabled universal group was changed.
A member was added to a security-disabled universal
4761 665 Low
group.
A member was removed from a security-disabled
4762 666 Low
universal group.
4767 671 Low A user account was unlocked.
4768 672,676 Low A Kerberos authentication ticket (TGT) was requested.
4769 673 Low A Kerberos service ticket was requested.
4770 674 Low A Kerberos service ticket was renewed.
4771 675 Low Kerberos pre-authentication failed.
4772 672 Low A Kerberos authentication ticket request failed.
4774 678 Low An account was mapped for logon.
4775 679 Low An account could not be mapped for logon.
The domain controller attempted to validate the
4776 680,681 Low
credentials for an account.
The domain controller failed to validate the credentials
4777 N/A Low
for an account.
4778 682 Low A session was reconnected to a Window Station.
4779 683 Low A session was disconnected from a Window Station.
4781 685 Low The name of an account was changed:
4782 N/A Low The password hash an account was accessed.
4783 667 Low A basic application group was created.
4784 N/A Low A basic application group was changed.
4785 689 Low A member was added to a basic application group.
4786 690 Low A member was removed from a basic application group.
4787 691 Low A nonmember was added to a basic application group.
A nonmember was removed from a basic application
4788 692 Low
group.
4789 693 Low A basic application group was deleted.
4790 694 Low An LDAP query group was created.
4793 N/A Low The Password Policy Checking API was called.
4800 N/A Low The workstation was locked.
4801 N/A Low The workstation was unlocked.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
4802 N/A Low The screen saver was invoked.
4803 N/A Low The screen saver was dismissed.
4864 N/A Low A namespace collision was detected.
Certificate Services received a resubmitted certificate
4869 773 Low
request.
Certificate Services received a request to publish the
4871 775 Low
certificate revocation list (CRL).
Certificate Services published the certificate revocation
4872 776 Low
list (CRL).
4873 777 Low A certificate request extension changed.
4874 778 Low One or more certificate request attributes changed.
4875 779 Low Certificate Services received a request to shut down.
4876 780 Low Certificate Services backup started.
4877 781 Low Certificate Services backup completed.
4878 782 Low Certificate Services restore started.
4879 783 Low Certificate Services restore completed.
4880 784 Low Certificate Services started.
4881 785 Low Certificate Services stopped.
4883 787 Low Certificate Services retrieved an archived key.
Certificate Services imported a certificate into its
4884 788 Low
database.
4886 790 Low Certificate Services received a certificate request.
Certificate Services approved a certificate request and
4887 791 Low
issued a certificate.
4888 792 Low Certificate Services denied a certificate request.
Certificate Services set the status of a certificate request
4889 793 Low
to pending.
4891 795 Low A configuration entry changed in Certificate Services.
4893 797 Low Certificate Services archived a key.
4894 798 Low Certificate Services imported and archived a key.
Certificate Services published the CA certificate to
4895 799 Low
Active Directory Domain Services.
4898 802 Low Certificate Services loaded a template.
4902 N/A Low The Per-user audit policy table was created.
4904 N/A Low An attempt was made to register a security event source.
An attempt was made to unregister a security event
4905 N/A Low
source.
4909 N/A Low The local policy settings for the TBS were changed.
4910 N/A Low The Group Policy settings for the TBS were changed.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
An Active Directory replica source naming context was
4928 N/A Low
established.
An Active Directory replica source naming context was
4929 N/A Low
removed.
An Active Directory replica source naming context was
4930 N/A Low
modified.
An Active Directory replica destination naming context
4931 N/A Low
was modified.
Synchronization of a replica of an Active Directory
4932 N/A Low
naming context has begun.
Synchronization of a replica of an Active Directory
4933 N/A Low
naming context has ended.
4934 N/A Low Attributes of an Active Directory object were replicated.
4935 N/A Low Replication failure begins.
4936 N/A Low Replication failure ends.
4937 N/A Low A lingering object was removed from a replica.
The following policy was active when the Windows
4944 N/A Low
Firewall started.
4945 N/A Low A rule was listed when the Windows Firewall started.
A change has been made to Windows Firewall exception
4946 N/A Low
list. A rule was added.
A change has been made to Windows Firewall exception
4947 N/A Low
list. A rule was modified.
A change has been made to Windows Firewall exception
4948 N/A Low
list. A rule was deleted.
Windows Firewall settings were restored to the default
4949 N/A Low
values.
4950 N/A Low A Windows Firewall setting has changed.
A rule has been ignored because its major version
4951 N/A Low
number was not recognized by Windows Firewall.
Parts of a rule have been ignored because its minor
4952 N/A Low version number was not recognized by Windows
Firewall. The other parts of the rule will be enforced.
A rule has been ignored by Windows Firewall because it
4953 N/A Low
could not parse the rule.
Windows Firewall Group Policy settings have changed.
4954 N/A Low
The new settings have been applied.
4956 N/A Low Windows Firewall has changed the active profile.
4957 N/A Low Windows Firewall did not apply the following rule:
Windows Firewall did not apply the following rule
4958 N/A Low because the rule referred to items not configured on this
computer:
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
IPsec Main Mode and Extended Mode security
4979 N/A Low
associations were established.
IPsec Main Mode and Extended Mode security
4980 N/A Low
associations were established.
IPsec Main Mode and Extended Mode security
4981 N/A Low
associations were established.
IPsec Main Mode and Extended Mode security
4982 N/A Low
associations were established.
4985 N/A Low The state of a transaction has changed.
5024 N/A Low The Windows Firewall Service has started successfully.
5025 N/A Low The Windows Firewall Service has been stopped.
The Windows Firewall Service blocked an application
5031 N/A Low
from accepting incoming connections on the network.
Windows Firewall was unable to notify the user that it
5032 N/A Low blocked an application from accepting incoming
connections on the network.
5033 N/A Low The Windows Firewall Driver has started successfully.
5034 N/A Low The Windows Firewall Driver has been stopped.
5039 N/A Low A registry key was virtualized.
A change has been made to IPsec settings. An
5040 N/A Low
Authentication Set was added.
A change has been made to IPsec settings. An
5041 N/A Low
Authentication Set was modified.
A change has been made to IPsec settings. An
5042 N/A Low
Authentication Set was deleted.
A change has been made to IPsec settings. A Connection
5043 N/A Low
Security Rule was added.
A change has been made to IPsec settings. A Connection
5044 N/A Low
Security Rule was modified.
A change has been made to IPsec settings. A Connection
5045 N/A Low
Security Rule was deleted.
A change has been made to IPsec settings. A Crypto Set
5046 N/A Low
was added.
A change has been made to IPsec settings. A Crypto Set
5047 N/A Low
was modified.
A change has been made to IPsec settings. A Crypto Set
5048 N/A Low
was deleted.
An attempt to programmatically disable the Windows
5050 N/A Low Firewall using a call to
InetFwProfile.FirewallEnabled(False)
5051 N/A Low A file was virtualized.
5056 N/A Low A cryptographic self test was performed.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
5057 N/A Low A cryptographic primitive operation failed.
5058 N/A Low Key file operation.
5059 N/A Low Key migration operation.
5060 N/A Low Verification operation failed.
5061 N/A Low Cryptographic operation.
5062 N/A Low A kernel-mode cryptographic self test was performed.
5063 N/A Low A cryptographic provider operation was attempted.
5064 N/A Low A cryptographic context operation was attempted.
5065 N/A Low A cryptographic context modification was attempted.
5066 N/A Low A cryptographic function operation was attempted.
5067 N/A Low A cryptographic function modification was attempted.
A cryptographic function provider operation was
5068 N/A Low
attempted.
A cryptographic function property operation was
5069 N/A Low
attempted.
A cryptographic function property modification was
5070 N/A Low
attempted.
A request was submitted to the OCSP Responder
5125 N/A Low
Service
Signing Certificate was automatically updated by the
5126 N/A Low
OCSP Responder Service
The OCSP Revocation Provider successfully updated
5127 N/A Low
the revocation information
5136 566 Low A directory service object was modified.
5137 566 Low A directory service object was created.
5138 N/A Low A directory service object was undeleted.
5139 N/A Low A directory service object was moved.
5140 N/A Low A network share object was accessed.
5141 N/A Low A directory service object was deleted.
5152 N/A Low The Windows Filtering Platform blocked a packet.
A more restrictive Windows Filtering Platform filter has
5153 N/A Low
blocked a packet.
The Windows Filtering Platform has permitted an
5154 N/A Low application or service to listen on a port for incoming
connections.
The Windows Filtering Platform has blocked an
5155 N/A Low application or service from listening on a port for
incoming connections.
The Windows Filtering Platform has allowed a
5156 N/A Low
connection.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
The Windows Filtering Platform has blocked a
5157 N/A Low
connection.
The Windows Filtering Platform has permitted a bind to
5158 N/A Low
a local port.
The Windows Filtering Platform has blocked a bind to a
5159 N/A Low
local port.
The requested credentials delegation was disallowed by
5378 N/A Low
policy.
The following callout was present when the Windows
5440 N/A Low
Filtering Platform Base Filtering Engine started.
The following filter was present when the Windows
5441 N/A Low
Filtering Platform Base Filtering Engine started.
The following provider was present when the Windows
5442 N/A Low
Filtering Platform Base Filtering Engine started.
The following provider context was present when the
5443 N/A Low Windows Filtering Platform Base Filtering Engine
started.
The following sublayer was present when the Windows
5444 N/A Low
Filtering Platform Base Filtering Engine started.
5446 N/A Low A Windows Filtering Platform callout has been changed.
5447 N/A Low A Windows Filtering Platform filter has been changed.
A Windows Filtering Platform provider has been
5448 N/A Low
changed.
A Windows Filtering Platform provider context has been
5449 N/A Low
changed.
A Windows Filtering Platform sublayer has been
5450 N/A Low
changed.
An IPsec Quick Mode security association was
5451 N/A Low
established.
5452 N/A Low An IPsec Quick Mode security association ended.
PAStore Engine applied Active Directory storage IPsec
5456 N/A Low
policy on the computer.
PAStore Engine failed to apply Active Directory storage
5457 N/A Low
IPsec policy on the computer.
PAStore Engine applied locally cached copy of Active
5458 N/A Low
Directory storage IPsec policy on the computer.
PAStore Engine failed to apply locally cached copy of
5459 N/A Low
Active Directory storage IPsec policy on the computer.
PAStore Engine applied local registry storage IPsec
5460 N/A Low
policy on the computer.
PAStore Engine failed to apply local registry storage
5461 N/A Low
IPsec policy on the computer.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
PAStore Engine failed to apply some rules of the active
5462 N/A Low IPsec policy on the computer. Use the IP Security
Monitor snap-in to diagnose the problem.
PAStore Engine polled for changes to the active IPsec
5463 N/A Low
policy and detected no changes.
PAStore Engine polled for changes to the active IPsec
5464 N/A Low policy, detected changes, and applied them to IPsec
Services.
PAStore Engine received a control for forced reloading
5465 N/A Low
of IPsec policy and processed the control successfully.
PAStore Engine polled for changes to the Active
Directory IPsec policy, determined that Active Directory
cannot be reached, and will use the cached copy of the
5466 N/A Low
Active Directory IPsec policy instead. Any changes
made to the Active Directory IPsec policy since the last
poll could not be applied.
PAStore Engine polled for changes to the Active
Directory IPsec policy, determined that Active Directory
5467 N/A Low can be reached, and found no changes to the policy. The
cached copy of the Active Directory IPsec policy is no
longer being used.
PAStore Engine polled for changes to the Active
Directory IPsec policy, determined that Active Directory
5468 N/A Low can be reached, found changes to the policy, and applied
those changes. The cached copy of the Active Directory
IPsec policy is no longer being used.
PAStore Engine loaded local storage IPsec policy on the
5471 N/A Low
computer.
PAStore Engine failed to load local storage IPsec policy
5472 N/A Low
on the computer.
PAStore Engine loaded directory storage IPsec policy on
5473 N/A Low
the computer.
PAStore Engine failed to load directory storage IPsec
5474 N/A Low
policy on the computer.
5477 N/A Low PAStore Engine failed to add quick mode filter.
IPsec Services has been shut down successfully. The
shutdown of IPsec Services can put the computer at
5479 N/A Low
greater risk of network attack or expose the computer to
potential security risks.
A request was made to authenticate to a wireless
5632 N/A Low
network.
5633 N/A Low A request was made to authenticate to a wired network.
5712 N/A Low A Remote Procedure Call (RPC) was attempted.
 Current Legacy
Potential
Windows Windows Event Summary
Criticality
Event ID Event ID
5888 N/A Low An object in the COM+ Catalog was modified.
5889 N/A Low An object was deleted from the COM+ Catalog.
5890 N/A Low An object was added to the COM+ Catalog.
6008 N/A Low The previous system shutdown was unexpected
Security policy in the Group Policy objects has been
6144 N/A Low
applied successfully.
6272 N/A Low Network Policy Server granted access to a user.
N/A 561 Low A handle to an object was requested.
N/A 563 Low Object open for delete
N/A 625 Low User Account Type Changed
N/A 613 Low IPsec policy agent started
N/A 614 Low IPsec policy agent disabled
N/A 615 Low IPsec policy agent
IPsec policy agent encountered a potential serious
N/A 616 Low
failure
24577 N/A Low Encryption of volume started
24578 N/A Low Encryption of volume stopped
24579 N/A Low Encryption of volume completed
24580 N/A Low Decryption of volume started
24581 N/A Low Decryption of volume stopped
24582 N/A Low Decryption of volume completed
24583 N/A Low Conversion worker thread for volume started
Conversion worker thread for volume temporarily
24584 N/A Low
stopped
The conversion operation on volume %2 encountered a
24588 N/A Low
bad sector error. Please validate the data on this volume
Volume %2 contains bad clusters. These clusters will be
24595 N/A Low
skipped during conversion.
Initial state check: Rolling volume conversion
24621 N/A Low
transaction on %2.
5049 N/A Low An IPsec Security Association was deleted.
5478 N/A Low IPsec Services has started successfully.
 SIEM Architecture
There are three SIEM components: -
1. Data collector
2. Data Processor
3. User Console

Data Collector Data Processer

1. Aggregation 1. Indexing
2. Normalization 2. Querying
3. Parsing 3. Filtering

User Console

Data Collector: -
 Aggregation: - Collection of logs from different log sources.
 Normalization: - Rescaling the size.
 Parsing: - Convert a raw log into an understandable log.

Data Processing: -
 Indexing: - Grouping of different types of events based on their log
sources.
 Querying (or) Correlation: - Linking one event with another event i.e.,
mapping one event with another event.
 Filtering: -

Retention Policy
How many days we need to maintain the Backup logs.
Min: - 3 months to Max: - 1 year

Common Event Format (CEF)

The Common Event Format (CEF) is a standardized logging format that is used
to simplify the process of logging security-related events and integrating logs
from different sources into a single system. CEF uses a structured data format to
log events and supports a wide range of event types and severity levels.

Blocking
Malicious Domain: - Block in  Firewall, Proxy, EDR
Malicious IP: - Block in  Firewall
Malicious URL: - Block in  Fire, Wall, Proxy, EDR, WAF
Hash Value: - Block in  EDR
 SOC
Compromiser Alert States Human States
False Positive Ok
True Positive Alert
False Negative No problem
True Negative Very much Alert

False: - The Incident what we got did not compromise any Device.
True: - The Incident what we got did compromise the Device.
Positive: - The abnormal log is notified as an Alert in the SIEM tool.
Negative: - The abnormal log is not notified as an Alert in the SIEM tool.

Incident Analysis
Cyber incident analysis refers to the carefully orchestrated process of
identifying what happened, why and how it happened and what can be done to
prevent it from happening again.

1. Malware Analysis: -
Step 1: - Assigning alert
Step 2: - Triaging

IIOC(Indicator of Compromise) IOA(Indicator of Attacker)

 User Account  Source IP address
 Host Name  Source
 IP address  File format
 File Location  Hash value
 Domain
 Location

Step 3: - Validation
Ones we found out that the file contains virus or harmful content
Then we have to go to the virus total web site and check the IOA
values of
(i) IP Address  pass/fail
(ii) Hash Value  pass/fail
(iii) Domain  pass/fail
 Virus Total

Checking

(i) IP address
Yes (True/Positive) No (False/Positive)
(ii) Hash Value

(iii)Domain
If true for

Close the
ticket

Domain IP address Hash value

Block In Block In Block In

Fire wall EDR

Fire wall,
proxy,
EDR

Ask the compromiser if

he installed or opened NO
Yes
the software

(i) Antivirus scan If no virus

(i) Isolation If no virus is fount
is fount
(ii) Antivirus
scan
Close the
Close the
ticket
ticket

Close the Close the

ticket ticket
 2. EMAIL ANALYSIS:
 Step 1:- Ones the Alert is triggered we assign the alert to any of the SOC(resources)
 Step 2:-Triaging( by checking email) (o365 Defender tool)
IOC(Indicator Of compromiser) IOA(Indicator Of Attacker)
1.Receiver E-mail ID 1.Sender E-mail ID ->
2.Host Name (Vijay@publicfinance.com)
3.IP Address 2. Domain->( publicfinance.com)
3.IP address
4.Attacehment ->url, file
5.SDF, DKIM, DMARC
 Step -3:- Validation
Virus Total

Checking

(i) IP address
Yes (True/Positive) No (False/Positive)
(ii) Hash Value

(iii)Domain
If true for
(iv) url
Close the
ticket

Domain URL

IP address Hash value

Block In Block In Block In Block In

Proxy, EDR
Fire wall, Fire wall
proxy, Fire wall,
EDR, WAF
EDR

Ask the compromiser if

Yes he installed or opened NO
the software

(i) Isolation If no virus

If no virus (i) Antivirus scan
is fount
(ii) Antivirus is fount
scan
Close the Close the
ticket ticket
3. Ransomware Malware Analysis: -
Alert name: - Malware detected
Step 1: - Assigning alert
Step 2: - Triaging

IIOC(Indicator of Compromise) IOA(Indicator of Attacker)

 User Account  Source IP address
 Host Name  Source
 IP address  File format
 File Location  Hash value
 Domain
 Location

Step 3: - Validation
Ones we found out that the file contains virus or harmful content
Then we have to go to the virus total web site and check the IOA
values of
(iv) IP Address  pass/fail
(v) Hash Value  pass/fail
(vi) URL  pass/fail
(vii) Domain  pass/fail

Step 4: -
In case of compromised state
1. Contact Network team: -
Conform whether there is a backup for the effected server
No (we can’t do anything)
Yes (The follow the below steps)
I. Backup Server  Primary Server.
II. Isolate the previous Primary server.
III. Run a AV Scan and format the Isolated Server.
IV. Reinstall and everything is back to normal.
 Windows Logon
A logon is an event in Windows that shows a user account being granted some
access to a workstation/server/computer.
(Or)
Windows Logon gives you the type of operation and also identifies the type of
network operations.
There are nine types of logon: -
There is no type 1.

Type 2: - Interactive type

This deals with
 Login of computer.
 Login of any hardware.

Type 3: - Network:-
It deals with  login of a computer using network.

Type 4:- Batch: -

It deals with  login into a batch of server

Type 5: -Server: -
It deals with  Server Control Manager

There is no type 6.

Type 7: -Unlock:-
It deals with  multiple failures will lock and unlock.

Type 8: - Network Clear Text: -

It deals with  no Encryption is used.

Type 9: -New Credentials: -

It deals with  Initial access.

Type 10: -Remote Interaction: -

It deals with  Login using remote access.

Type 11: - Cached Interactive

 HTTP Status Code: -
1xx:- Information
2xx:- Success
3xx:- Redirection
4xx:- Client Side Error
5xx:- Server Side Error