Logs and event co-relation

Computer Security logs – contains information about events in an organizational and network

1. OS Logs -  Logs of OS for server, workstation and network device

i.Event logs: Operational Action by OS
ii.Audit Logs: Security event information like failed auth, file access, policy changes, account changes

1. Application Logs: All events logs by Program, email server, database server.
2. Security Logs: Logs of network host based security software log like antivirus logs and all security related logs.

Router log file:

• Store logs in router cache
• Detailed info about the network traffic

Honeypot logs:

• Logs from Honeypots are considered as suspicious
• The honey pot admin is the only authorized user.

Application Logs: Application logs store event messages recorded by windows application.
Popular Event ID’s

• 528 – Successful Logged on to an account
• 531 Logon attempt made by disable account
• 532 – Expired account

Port number:
UDP Port 123- NTP
Event Correlation Approaches:

• Graph Based:
• Netural Network based
• Codebook-based
• Rule based:
• Field-Based:
• Automated Field:
• Payload Correlation:

Types of Correlation:

• Same Platform Correlation
• Cross Platform Correlation