How To Approach An Audit Log Review For IT Security Investigations

September 18, 2018

Event logging is a powerful tool for use in monitoring events occurring within a network to use for diagnostics and security within the IT department of an organization. This process helps us take a proactive approach to protect important information and programs. It is often the only way to determine if something detrimental has happened, such as a data breach.

Active monitoring on Windows operating systems is essential, especially with the prevalence of internet connections and third-party applications being accessed from within a network. Here’s everything you need to know about Windows Logging Basics -The Ultimate Guide to Logging.

Information to be Collected

To be able to adequately protect your information through the use of Windows logging, you’ll need to be able to capture at least the following information:

    • Date and times of user access – this information will tell you when certain individuals have accessed the network, narrowing down the source of potential issues.
    • User login IDs – this information will offer specifics regarding usage.
    • Computer or terminal IDs – this information will narrow down which computer was used for access that led to a problem.
    • Failed login attempts – this could show an innocuous case of someone mistyping their password or someone trying to log into someone else’s account.
    • Usage trail – where did the person go and what did they access? Which files and programs were used?
    • Configuration and changes made – did the person logged in making any changes that could potentially cause an issue?
  • Triggered alarms – did the person access anything with an alarm attached?

These tracking metrics make it possible to determine what happened and when, as well as who did it, which ultimately gives an IT person a better idea of how to fix the issue as quickly as possible.

Legal Requirements of Monitoring

Legal requirements surrounding the monitoring of computer activity within the workplace varies from place to place. Generally speaking, however, employees must be aware of the fact that their activity is monitored. This is often covered by onboarding policy paperwork. In regards to information retention periods, there is no standard regarding how long you should keep information logs. Best practices recommend a minimum of one year.

Reviewing and Prioritizing

To be able to determine if there is a problem, you must take the time to review the logs and identify if there are any problems. That being said, you will be collecting a lot of information that isn’t necessarily relevant to your cause at all times. Set review processing on a regular basis, scaling the frequency based on the security needs of your business. If possible, create automation protocols so that you aren’t wasting human resources on reports.

Fault Identification

When there is a problem, there are usually two main causes: either a user caused a problem or the system or an application glitched by itself. It’s important to log the cause of error with the other information so that you can determine patterns and identify if employees need more guidance regarding usage or if the software itself has an issue.

Alerts

It’s wise to set up alerts that will signal an issue based on certain criteria, such as someone accessing secure files or the speed of your Windows operating system dropping drastically. These alerts ensure that problems are being identified as soon as possible, rather than waiting for someone to review the problem log. Rather than poring through hours worth of data, the IT professional will be able to access the information right away.

Protection and Planning

Your Windows logs should be protected as a secure document. Whether you back the data onto disk or cloud, ensure that you are keeping them in a secure location. You will also want to incorporate a plan into your overall logging protocols, outlining when reviews will be conducted and what data is being captured. Following these procedures will ensure your information is kept safe from corruption.

Filed Under: Mix, Tech
Tagged With: ,
About Amit Shaw

Amit Shaw, Administrator of iTechCode.He is a 29 Year Ordinary Simple guy from West Bengal,India. He writes about Blogging, SEO, Internet Marketing, Technology, Gadgets, Programming etc. Connect with him on Facebook, Add him on LinkedIn and Follow him on Twitter.