- OS Logs - Logs of OS for server, workstation and network device
ii.Audit Logs: Security event information like failed auth, file access, policy changes, account changes
- Application Logs: All events logs by Program, email server, database server.
- Security Logs: Logs of network host based security software log like antivirus logs and all security related logs.
- Store logs in router cache
- Detailed info about the network traffic
- Logs from Honeypots are considered as suspicious
- The honey pot admin is the only authorized user.
Popular Event ID’s
- 528 – Successful Logged on to an account
- 531 Logon attempt made by disable account
- 532 – Expired account
UDP Port 123- NTP
Event Correlation Approaches:
- Graph Based:
- Netural Network based
- Rule based:
- Automated Field:
- Payload Correlation:
- Same Platform Correlation
- Cross Platform Correlation