윈도우 이벤트 로그 Event ID에 대해서 알아보자.
1. 윈도우 이벤트 로그 검색할만한 사이트
(정식으로는 잘 정리된 페이지가 거의 없다) - msdn... 문서화좀하자..
아래의 사이트에 들어가면 대부분의 이벤트 로그 ID에 대해서는 검색할 수 있을 것이다.
문제는 반대의 경우, 즉 어떤 상황에 대해서 그 이벤트 로그 ID를 찾는 것은 어려울 수 있다.
이 경우는 아마도 시스템에서 주기적으로 크롤링 한 다음에 모든 귀납적 경우를 찾아서 정리하는 편이 좋아보인다.
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
Windows Security Log Encyclopedia
www.ultimatewindowssecurity.com
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
Appendix L - Events to Monitor
Learn more about: Appendix L: Events to Monitor
learn.microsoft.com
Agent Event Log Descriptions
Safe Lock event logging can be customized by doing the following: Before installation, modify the Setup.ini file. See Setup.ini File Arguments > EventLog Section in the Safe Lock Installation Guide. After installation, modify the configuration file. See Co
docs.trendmicro.com
Event-o-Pedia EventID 13328 - Task does not exist
The task does not exist.%0 DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00 Source Name of an Application or System Service originating the event. Source Security Type Warning, Information, Error, Success, Failure, etc. T
eventopedia.cloudapp.net
와 정보가 진짜 없구나.
그냥 시스템들 크롤링해서 귀납적으로
테이블 시트 만드는 편이 좋겠다.
|운영체제|eventid|나타내는 의미| 이렇게
2. 악용 가능한 이벤트 아이디들, 주요 감시, 탐지할만한 이벤트 아이디들
https://support.sophos.com/support/s/article/KB-000038860?language=en_US
Interesting Windows Event IDs - Malware/General Investigation
Overview A combination of these Event IDs can be used in conjunction with the article Endpoint Early Access Program to investigate a variety of cases: A ransomware attack that allegedly took place due to an exposed RDP server.Installation of Kernel-level
support.sophos.com
https://www.criticalstart.com/windows-security-event-logs-what-to-monitor/
Windows Security Event Logs – What to Monitor? - Critical Start
The following is a table of event codes that I’ve found to be extremely valuable to log and monitor in an environment. Some trend more towards general environment health and activity monitoring, however they all have a foothold in security value as well.
www.criticalstart.com
https://www.beyondtrust.com/blog/entry/windows-server-events-monitor
Important Windows Event IDs: Which Events You Should… | BeyondTrust
Third-party security information and event management (SIEM) products can centralize logs and provide intelligence to identify events that might be important. But in the absence of a SIEM product, built-in Windows Server features can help protect your syst
www.beyondtrust.com
https://alparslanakyildiz.medium.com/windows-event-ids-for-incident-response-cases-f3a069b8309f
Windows Event IDs For Incident Response Cases
In this post blog we will work on Windows Event IDs. When we analyze the logs for incident response or threat hunting, we need to…
alparslanakyildiz.medium.com
https://www.xplg.com/windows-server-security-events-list/
42 Windows Server Security Events You Should Monitor | XpoLog
There are some critical security events you should monitor. We have compiled a list of event IDs and their descriptions. Use them to boost security level.
www.xplg.com
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor
Appendix L - Events to Monitor
Learn more about: Appendix L: Events to Monitor
learn.microsoft.com