All Questions
6
questions
2
votes
1
answer
2k
views
Windows Defender's MsMpEng.exe Access lsass.exe
I detected an activity last week on our SIEM system. The MsMpEng.exe which belongs to Windows Defender access lsass.exe. I search it on the net for learn is it a normal acitivty or is it anormal then ...
3
votes
2
answers
3k
views
Windows Kerberos Pre-Auth Failed (4771)
Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?
If you don't get logs from all endpoints and rely on Domain ...
0
votes
1
answer
3k
views
Difference between audit log failure/success?
I am working on event logs. I receive different logs such as 1. Success audit 2. Failure audit For same type of events(Login,logoff) etc. What exactly is the difference between these two types of ...
2
votes
3
answers
12k
views
How to detect port scan on SIEM within LAN or same Network?
Let's suppose a host machine in the client environment has been infected and its performing port scanning on other machine within the LAN or same Network without passing through Firewall:
On what ...
5
votes
2
answers
4k
views
SIEM and Windows Event Logs
When considering what Windows event logs to incorporate into a SIEM solution, should I be looking at just the Security event logs, or all categories of event log? How useful are the other categories ...
8
votes
2
answers
712
views
What features do you look for in an Enterprise Log Management solution?
This question is for IT Pros, and people who manage a company's infrastructure. Developers should see this related answer for tools geared for them.
What are your requirements for such a Event Log ...