Critical Log Review Checklist for Security Incidents

This cheat sheet presents a checklist for reviewing critical logs when responding to a security incident. It can also be used for routine log review. It was authored by Anton Chuvakin and Lenny Zeltser.

General Approach

  1. Identify which log sources and automated tools you can use during the analysis.
  2. Copy log records to a single location where you will be able to review them.
  3. Minimize “noise” by removing routine, repetitive log entries from view after confirming that they are benign.
  4. Determine whether you can rely on logs' time stamps; consider time zone differences.
  5. Focus on recent changes, failures, errors, status changes, access and administration events, and other events unusual for your environment.
  6. Go backwards in time from now to reconstruct actions after and before the incident.
  7. Correlate activities across different logs to get a comprehensive picture.
  8. Develop theories about what occurred; explore logs to confirm or disprove them.

Potential Security Log Sources

Server and workstation operating system logs

Application logs (e.g., web server, database server)

Security tool logs (e.g., anti-virus, change detection, intrusion detection/prevention system)

Outbound proxy logs and end-user application logs

Remember to consider other, non-log sources for security events.

Typical Log Locations

Linux OS and core applications: /var/log

Windows OS and core applications: Windows Event Log (Security, System, Application)

Network devices: usually logged via Syslog; some use proprietary locations and formats

What to Look for on Linux

Successful user login “Accepted password”,
“Accepted publickey”,
"session opened”
Failed user login “authentication failure”,
“failed password”
User log-off “session closed”
User account change or deletion “password changed”,
“new user”,
“delete user”
Sudo actions “sudo: … COMMAND=…”
“FAILED su”
Service failure “failed” or “failure”

What to Look for on Windows

Event IDs are listed below for Windows 2000/XP. For Vista/7 security event ID, add 4096 to the event ID.
Most of the events below are in the Security log; many are only logged on the domain controller.
User logon/logoff events Successful logon 528, 540; failed logon 529-537, 539; logoff 538, 551, etc
User account changes Created 624; enabled 626; changed 642; disabled 629; deleted 630
Password changes To self: 628; to others: 627
Service started or stopped 7035, 7036, etc.
Object access denied (if auditing enabled) 560, 567, etc

What to Look for on Network Devices

Look at both inbound and outbound activities.
Examples below show log excerpts from Cisco ASA logs; other devices have similar functionality.
Traffic allowed on firewall “Built … connection”,
“access-list … permitted”
Traffic blocked on firewall “access-list … denied”,
“deny inbound”,
“Deny … by”
Bytes transferred (large files?) “Teardown TCP connection … duration … bytes …”
Bandwidth and protocol usage “limit … exceeded”,
“CPU utilization”
Detected attack activity “attack from”
User account changes “user added”,
“user deleted”,
“User priv level changed”
Administrator access “AAA user …”,
“User … locked out”,
“login failed”

What to Look for on Web Servers

Excessive access attempts to non-existent files
Code (SQL, HTML) seen as part of the URL
Access to extensions you have not implemented
Web service stopped/started/failed messages
Access to “risky” pages that accept user input
Look at logs on all servers in the load balancer pool
Error code 200 on files that are not yours
Failed user authentication Error code 401, 403
Invalid request Error code 400
Internal server error Error code 500

Other Resources

Windows event ID lookup

A listing of many Windows Security Log events

Log analysis references

A list of open-source log analysis tools

Anton Chuvakin's log management blog

Other security incident response-related cheat sheets

Post-Scriptum

Found this checklist useful? Tweet it!

Special thanks to Anand Sastry for providing feedback on this cheat sheet. If you have suggestions for improving this cheat sheet, please let us know.

This cheat sheet is distributed according to the Creative Commons v3 "Attribution" License. File version 1.0.

Critical Log Review Checklist for Security Incidents的更多相关文章

  1. Code Review Checklist

    左按:当年需要一份详细的代码评审清单作参考,翻译了此文. 版权声明:本文为博主原创文章,未经博主允许不得转载.   目录(?)[-] General Code Smoke Test 通用测试 Comm ...

  2. Code Review Checklist and Guidelines for C# Developers

    Checklist1. Make sure that there shouldn't be any project warnings.2. It will be much better if Code ...

  3. Java相关|Code Review Checklist(Server)

    安全 所有入参均经过校验,包括验证参数数据类型.范围.长度,尽可能采用白名单形式验证所有的输入.对于非法请求,记录WARN log.参考Input Validation Cheat Sheet:前后端 ...

  4. Open source and free log analysis and log management tools.

    Open source and free log analysis and log management tools. Maintained by Dr. Anton Chuvakin Version ...

  5. Summary Checklist for Run-Time Kubernetes Security

    Here is a convenient checklist summary of the security protections to review for securing Kubernetes ...

  6. Security Checklist (路由器安全checklist)

    Security Checklist Website by     Michael Horowitz  Home | Introduction | Router Bugs | Security Che ...

  7. Magic Quadrant for Security Information and Event Management

    https://www.gartner.com/doc/reprints?id=1-4LC8PAW&ct=171130&st=sb Summary Security and risk ...

  8. ApexSql Log 2016破解版&补丁

    绿色破解版: http://download.csdn.net/detail/gsyifan/9316993 官网: https://www.apexsql.com/sql_tools_log.asp ...

  9. Managing IIS Log File Storage

    Managing IIS Log File Storage   You can manage the amount of server disk space that Internet Informa ...

随机推荐

  1. 开发环境配置--Ubuntu+Qt4+OpenCV(三)

    同系列文章 1. 开发环境配置--Ubuntu+Qt4+OpenCV(一) 2. 开发环境配置--Ubuntu+Qt4+OpenCV(二) 3. 开发环境配置--Ubuntu+Qt4+OpenCV(三 ...

  2. input submit button iOS webview browser diffrence

    最近做项目用到了webview, 在浏览器中显示正常的input[type="submit"]按钮, 加载到webview中后css里的设置都失效了, webview里渲染的是最原 ...

  3. tornado web框架

    tornado web框架 tornado简介 1.tornado概述 Tornado就是我们在 FriendFeed 的 Web 服务器及其常用工具的开源版本.Tornado 和现在的主流 Web ...

  4. [Backbone.js]如何用backbone写一个仿网页版微信的webapp?

    var Chat = Backbone.Model.extend({ idAttribute:'id', initialize:function(options){ var users = this. ...

  5. 论山寨手机与Android联姻 【10】SmartPhone的通信机制

    上一章我们说到,智能手机 == 电脑 + 移动网卡,这个提法比较粗略,更精准的提法应当是,智能手机的硬件结构分为应用程序处理器AP,和基带处理器BP两个部分.虽然AP部分的功能与电脑主板基本类似,但是 ...

  6. CSS预处理器实践之Sass、Less比较

    什么是CSS预处理器? CSS可以让你做很多事情,但它毕竟是给浏览器认的东西,对开发者来说,Css缺乏很多特性,例如变量.常量以及一些编程语法,代码难易组织和维护.这时Css预处理器就应运而生了.Cs ...

  7. POJ 2429 GCD & LCM Inverse(Pollard_Rho+dfs)

    [题目链接] http://poj.org/problem?id=2429 [题目大意] 给出最大公约数和最小公倍数,满足要求的x和y,且x+y最小 [题解] 我们发现,(x/gcd)*(y/gcd) ...

  8. 【原】win7下调整分区

    由于装系统时硬盘分区极度不合理,导致现在装一些比较大的开发软件根本不能装,但是又不想重装系统调整分区,而且还不想让已有的文件受到一点伤害,毕竟数据无价啊.几番搜索后,发现了一款比较好用的硬盘管理软件  ...

  9. windows更改DNS设置

    浏览器解析域名时,首先在本地的host文件中查找记录, HOSTS文件记录的地址在: 将注释去掉 访问ysp.tlmall.com 会访问127.0.0.1

  10. Copy from chromium-dev!

    https://app.yinxiang.com/pub/gguangle0/chromium-dev 做了一些搬运工的活..............