Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Windows Event Monitoring

by David Schwalenberg
January 25, 2016

Windows Event Monitoring Dashboard Screenshot

Collecting and analyzing Windows events is an important step in detecting unexpected or malicious activity on Windows systems.  Windows events will log application and service installations and failures, and user account activity. Events will also be generated by Windows Firewall, Windows Defender, AppLocker, EMET, Windows Update, Windows Plug and Play (PnP), and other security applications and utilities. Events from these various sources can assist an organization in maintaining awareness of the behavior and health of their Windows systems, but the vast number of events does not make it easy for administrators and analysts to identify important events.

The National Security Agency developed the “Spotting the Adversary with Windows Event Log Monitoring” guide to define a recommended set of Windows events to collect and review on a frequent basis. Examples of these recommended events include Windows Firewall rule changes, Windows Defender taking action to protect the system, AppLocker blocking an application, Windows Update failures, and more. This dashboard is based on those recommendations.

Windows events can be forwarded to the Log Correlation Engine (LCE) via syslog or the LCE Client. LCE can then serve as a central location for log storage, which is recommended for event log integrity and backup. LCE is also capable of normalization and correlation of Windows events, collection of event summaries, and event statistical analysis. These details can further assist analysts in monitoring Windows systems.

This dashboard assists in monitoring the recommended Windows events from the NSA guide, which will aid organizations in maintaining awareness of the behavior and health of their Windows systems. Suspicious or unexpected behavior can be identified, monitored, and investigated. These events may indicate systems with problems, or potential malicious activity that needs to be addressed.

This dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Monitoring. The dashboard requirements are:

  • SecurityCenter 4.8.2
  • LCE 4.6.1

Tenable's SecurityCenter Continuous View (CV) is the market-defining continuous network monitoring solution. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable’s Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable’s Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of activity on its network.

This dashboard contains the following components:

  • Windows Event Monitoring - Windows Firewall Events - This table presents all Windows Firewall events collected in the last 72 hours. The table is sorted so that the most common events are at the top. For each event name, a count of events and a trend line that shows when the events occurred is given. Unexpected firewall state changes (started or stopped) and rule additions, deletions, and changes should be investigated, as these may indicate potentially unauthorized activity.
  • Windows Event Monitoring - Windows Defender Events - This table presents all Windows Defender events collected in the last 72 hours. Windows Defender is an antispyware and antivirus application developed by Microsoft. The table is sorted so that the most common events are at the top. For each event name, a count of events and a trend line that shows when the events occurred is given. Any notifications of Windows Defender taking action to protect the machine should be investigated. Any events that indicate that Windows Defender is not operating as expected should also be investigated. If a third-party anti-malware product is in use, that product should be monitored instead.
  • Windows Event Monitoring - Account Usage Events - This matrix presents indicators of Windows account usage in the last 72 hours. Account lockouts may indicate brute force attacks. Users being added to groups and groups being modified should be watched closely, as unauthorized membership in privileged groups is a strong indicator of malicious activity. Successful and failed logins can be further investigated for Pass the Hash activity and other unauthorized account usage. Clicking on a highlighted indicator will bring up the event analysis screen to display details on the events and allow further investigation.
  • Windows Event Monitoring - Event Indicators - This matrix presents indicators of various Windows events collected in the last 72 hours that can be critical to identify behavior and health of systems. This includes events from AppLocker, an application whitelisting feature included in Windows, and EMET, the Enhanced Mitigation Experience Toolkit, a utility that helps prevent vulnerabilities in software from being successfully exploited. Also included are application error and installation events, driver and service installation events, service failures, Windows Update status events, audit log clear events, invalid hash events, and Group Policy errors. Windows wireless, Windows Plug and Play (PnP), and USB device connection events are also included. These events should be investigated for unexpected behavior that may indicate systems with problems or that are exhibiting suspicious behavior. Clicking on a highlighted indicator will bring up the event analysis screen to display details on the events and allow further investigation.
  • Windows Event Monitoring - Process Summary and Statistical Events - This matrix presents indicators of various Windows process summary and statistical events generated by the Log Correlation Engine (LCE) in the last 72 hours. These events focus on the processes running on Windows systems, and can assist in maintaining awareness of the behavior and health of these systems. Daily summaries of crashed and hung processes can be investigated to find machines with problems or that are exhibiting suspicious behavior. The daily summary of EXE downloads can be investigated for any unauthorized executables. New commands (processes) that have never been previously observed and unique executables that have not been previously detected on any other systems may indicate new software or potential malicious activity. A statistical spike in process activity may indicate a new program, a new error, a user running a program in a new way, or malicious activity. Clicking on a highlighted indicator will bring up the event analysis screen to display details on the events and allow further investigation.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training