Event-Logs

Threat Hunting

Definition

**What the term means**:

First, I want to define what is an event so that way you have an understanding of what an event is in order to understand the logs associated with it. With that being said, an event is any significant action or occurrence that's recognized by a software system that could originate from operating systems, networks, servers etc.

Event Logs are a specific type of file that store information abotu significant actions or occurences in a computer system. Furthermore, the type of events tracked in an event log changes depending on which type of system is creating the log, but also Operating Systems like Windows and Linux tend to collect the following types of information in their event logs:

System-related events from the OS – These are typically system events, such as issues encountered during startup and other OS-related events.
Application-specific events from programs running on the machine – These are events logged by individual applications. The company that developed the software are the decision makers to determine what type of event is logged by each application.
Security-related events such as login and logout – Security logs can also include file deletion. System Administrators will often decide which security logs to retain based on their audit policy.

Related Terms

Examples & Use Cases

**Examples:**

For example, Windows Event Log entries are generated on any computer running Windows OS and these events are generally classified by one of three categories.

System-related events that capture events from the operating system itself
Application events logged by applications running on the Windows machine
Security events that capture login and logout events
Similarly in Linux, the Syslog (or rsyslog or journalctl) process records both OS and application-related events. In Red Hat’s Linux distros, the event log is typically the /var/log/messages file.

**How it's relevant to security investigations:**

Regarding security investigations, event logs are really beneficial because they typically contain the information below:

The classification and severity level of the event

The event timestamp

The source of the event, such as hardware, software, operating system, application module, library, or remote IP address

Optionally, the destination of the event, which could be an application or an IP address or some other location

Optionally, an event number that acts as a unique identifier because it helps identify the event

Additionally, the event logs can also contain information such as a user name pertaining to user-generated actions and the actual event description.

With this information, a SOC analyst can better understand what they are analyzing in the log to help make a better decision on if this activity is malicious or not.

**Further reading:**

[CyberDefender's Mastering Windows Event Log Analysis: Essential Techniques for SOC Analysts] (https://cyberdefenders.org/blog/event-log-analysis-for-soc-analysts/)

[HackTheBox's Decoding Windows event logs: A definitive guide for incident responders] (https://www.hackthebox.com/blog/decoding-windows-event-logs-a-definitive-guide-for-incident-responders#:~:text=Windows%20system%20logs:&text=System%20shutdown/restart.,infection%20or%20unauthorized%20user%20access.&text=The%20event%20log%20service%20was,to%20detect%20unauthorized%20system%20reboots.&text=The%20event%20log%20service%20was%20stopped.,disruption%20for%20covering%20illicit%20activities.&text=Windows%20uptime.,unauthorized%20activity%20on%20the%20system.&text=Service%20status%20change.,a%20sign%20of%20system%20tampering.)

[Ultimate IT Security's Windows Security Log Encyclopedia] (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/)

[Valency Networks Important Windows Event IDs for SIEM Monitoring] (https://valencynetworks.com/blogs/important-windows-event-ids-for-siem-monitoring/)