https://sansorg.egnyte.com/dl/oQm41D67D6
pratice
https://app.letsdefend.io/training/lesson_detail/checklist
https://elearning.securityblue.team/login

Log

https://cybersecuritynews.com/windows-event-log-analysis/
https://amr-git-dot.github.io/forensic investigation/Linux_Forensics/
https://tryhackme.com/r/room/introtologs
https://medium.com/@joseruizsec/soc-analyst-level-2-tryhackme-log-analysis-intro-to-logs-b7b2bfbc66b5
Common log types include:

• Application Logs: Messages related to application activities.
• Audit Logs: Operations significant for compliance.
• Security Logs: Security-related events like logins and firewall actions.
• Server Logs: Diverse logs generated by servers.
• System Logs: Logs detailing system activities and hardware status.
• Network Logs: Logs about network traffic and related events.
• Database Logs: Records of activities within databases.
• Web Server Logs: Web server activity, such as processed requests

Semi-structured Logs: These logs may contain structured and unstructured data, with predictable components accommodating free-form text. Examples include:
Example of a log file utilising the Syslog Format:

damianhall@WEBSRV-02:~/logs$ cat syslog.txt
May 31 12:34:56 WEBSRV-02 CRON[2342593]: (root) CMD ([ -x /etc/init.d/anacron ] && if [ ! -d /run/systemd/system ]; then /usr/sbin/invoke-rc.d anacron start >/dev/null; fi)

• Example of a log file utilising the Windows Event Log (EVTX) Format

PS C:\WINDOWS\system32> Get-WinEvent -Path "C:\Windows\System32\winevt\Logs\Application.evtx"


   ProviderName: Microsoft-Windows-Security-SPP

TimeCreated                      Id LevelDisplayName Message
-----------                      -- ---------------- -------
31/05/2023 17:18:24           16384 Information      Successfully scheduled Software Protection service for re-start
31/05/2023 17:17:53           16394 Information      Offline downlevel migration succeeded.

Practical Activity: Log Collection with rsyslog

https://medium.com/@joseruizsec/soc-analyst-level-2-tryhackme-log-analysis-intro-to-logs-b7b2bfbc66b5
This activity aims to introduce rsyslog and demonstrate how it can enhance the centralisation and management of logs. As part of the collection process, we will configure rsyslog to log all sshd messages to a specific file, such as /var/log/websrv-02/rsyslog_sshd.log. The steps below can be followed to achieve this:

1. Open a Terminal.
2. Ensure rsyslog is Installed: You can check if rsyslog is installed by running the command: sudo systemctl status rsyslog
3. Create a Configuration File: Use a text editor to create the following configuration file: gedit /etc/rsyslog.d/98-websrv-02-sshd.conf, nano /etc/rsyslog.d/98-websrv-02-sshd.conf, vi /etc/rsyslog.d/98-websrv-02-sshd.conf, or vim /etc/rsyslog.d/98-websrv-02-sshd.conf
4. Add the Configuration: Add the following lines in /etc/rsyslog.d/98-websrv-02-sshd.conf to direct the sshd messages to the specific log file:
   $FileCreateMode 0644
   :programname, isequal, "sshd" /var/log/websrv-02/rsyslog_sshd.log
5. Save and Close the Configuration File.
6. Restart rsyslog: Apply the changes by restarting rsyslog with the command: sudo systemctl restart rsyslog
7. Verify the Configuration: You can verify the configuration works by initiating an SSH connection to localhost via ssh localhost or by checking the log file after a minute or two.

Expected Output after rsyslog configuration to monitor sshd

IMPORTANT: If remote forwarding of logs is not configured, tools such as scp / rsync, among others, can be utilised for the manual collection of logs.

Storage, Retention, and Deletion

Log Retention

• Hot Storage: Logs from the past 3-6 months that are most accessible. Query speed should be near real-time, depending on the complexity of the query.
• Warm Storage: Logs from six months to 2 years, acting as a data lake, easily accessible but not as immediate as Hot storage.
• Cold Storage: Archived or compressed logs from 2-5 years. These logs are not easily accessible and are usually used for retroactive analysis or scoping purposes.

Practical Activity: Log Management with logrotate

Log purpose

https://tryhackme.com/r/room/logoperations

Questions To Ask In Planning Meeting/Session

• What will you log, and for what (asset scope and logging purpose)?
• Is additional commitment or effort required to achieve the purpose (requirements related to the purpose)?
• How much are you going to log (detail scope)?
• How much do you need to log?
• How are you going to log (collection)?
• How are you going to store collected logs?
• Is there a standard, process, legislation, or law that you must comply with due to the data you log?
• How are you going to protect the logs?
• How are you going to analyse collected logs?
• Do you have enough resources and workforce to do logging?
• Do you have enough budget to plan, implement and maintain logging?

Alert

https://www.mindpointgroup.com/blog/what-types-of-alerts-could-i-receive-from-a-soc
https://www.linkedin.com/pulse/how-conduct-initial-triage-security-alerts-soc-abdullahi-ali/
Establish a Triage Process,Prioritize Alerts,Collect Contextual Information,Analyze the Alert,Escalate or Remediate,Document and Review

https://medium.com/@Mx0o14/tryhackme-incident-handling-with-splunk-1f21fa04b644
https://storage-vnportal.vnpt.vn/lci-ubnd-responsive/7404/QuangVinh/slide_tap_huan_quy_trinh_ung_pho_su_co_attt_lci_2023.pdf

Incident response

https://vnhacker.substack.com/p/ieu-tra-su-co-la-lam-gi?utm_source=profile&utm_medium=reader2
https://medium.com/@Mx0o14/tryhackme-incident-handling-with-splunk-1f21fa04b644

Log

Investigation

Reconnaissance

• Reconnaissance Phase
• Validate the IP that is scanning

Exploitation Phase

• Check ip scanned server
• Check http_method

Installation Phase

• Find what uploaded to server
• That's file is executed as which user ?
• Find the same in Virus total

Action on Objectives

Command and Control Phase

https://www.youtube.com/watch?v=4Jau-Wj-mkE&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka

Interview

Technology

Technology Reports - Firewalls, Malware, Account Management, Authentication, Email, Proxy

Malware Reports

• No of infections in last(24Hr/12Hr/4Hr/15min)- Gets clarity on any ongoing Cyber Intrusion
• Hots Infected (24Hr/12Hr/4Hr/15min) - Top list or stats of Systems that are infected users accounts that are infected
• Malware Type ordred stats
• Malware Name - Which malware is affecting Mostly - list stats to be displayed
• Action taken by AV - whether a specific virus is Blocked ot allowed (Top 10)
• Top infected Filenames and Paths

Firewall Summary Reports

• Inbound Allowed - Destination Port, Destination IP, Source IP, Source Country
• Inbound Deny - Destination Port, Destination IP, Source IP, Source Country
• Outbound Allowerd - Destination Port, Destination IP, Source IP, Source Country
• Outbound Deny - Destination Port, Destination IP, Source IP, Source Country

Account Management - Any Device(Firewall, IDS,Linux,Windows,AV Mangement servers, DB or so on)

• Accounts Created, Deleted, Account Enabled, Account disabled, Accout Lockout
• Privilege change(Access level change)

Authentication Summary reports - Any Device(Firewall, IDS,Linux,Windows,AV Mangement servers, DB or so on)
Successful Logons, Failed Logons, Admin Logons and so on …

Proxy - To check the we traffic activity

• Top 10 User who are sent Most no of URL request
• Top 10 visited websites
• Top 10 Blocked websites
• Top 10 Malecious Websites and Theire action

Email Summary Reports -

• Top 10 - Senders
• Top 10 - Receives
• Top 10 External domain names sent
• Top 10 blocked domain names sent
• Top 10 blocked resons
• List of Malicious attachment and action

SIEM Reports

1. Logs - EPS(Events Per Seconds)
2. What are new Log sources - Nessus report displaying some IP address which SOC is not monitoring
3. No receving of logs from the Source
4. Correlations/Alerts triggered in last duration of time

SOC Reports:

1. No of Alerts Worked on by SOC Team
2. No of Incedents by Severity
3. SLA adherences
4. Escalations