What is Windows Security Event Log
It is a crucial component of the Windows operating system that records security-related events and activities. It captures events based on the audit policies set for each object. These policies define what actions are monitored and logged. For instance, when a user logs in, a file is accessed, or a security group is modified, relevant events are recorded in the security log. Windows security event log contains various event codes related to activities such as account logon, account creation, group changes, and more. Monitoring these events helps organizations track security incidents, identify anomalies, and maintain system health.
How to Analyze Windows Security Event Logs
Analyzing Windows Security Event Logs (.evtx files) is essential for understanding system activity and detecting security incidents. While the Windows Event Viewer is a common tool, there are alternative methods and software for more advanced analysis. In this article, Elasticsearch will be used for the analysis.
Image1. Snapshot of Windows Security Event .evtx files
PowerShell Script to Merge Multiple Windows Security Event .evtx Files
If we are provided a few exported Windows Security Event .evtx files, we can use the PowerShell script "Merge_the_events.ps1" shared in github to merge them into a single .evtx file (Merge.evtx). See below for the commandline.
.\Merge_the_events.ps1 -FolderPath <directory containing the Windows Security Event .evtx files> |
Python Script to Ingest Merged .evtx File into Elasticsearch
Dragos had written a Python module named EvtxToElk. This module ingests evtx files into an ELK stack. If you use the python module directly, the default index name for the ingested log is "hostlogs". If you want different index name, copy the source code of EvtxToElk to create a separate python file instead of "pip install evtxtoelk". In this way, you can name the index to what you desired via the variable "elk_index" as shown in Image2 below.
Image2. Snapshot of Python Scripts to Ingest .evtx into Elasticsearch
After running the python scripts, you will see the .evtx ingested to the specified index as shown in Image3 below. Thereafter, analysis can be in Elasticsearch.
Image3. Snapshot of Python Scripts to Ingest .evtx into Elasticsearch
Conclusion
Elasticsearch is generally considered a better tool for analyzing Windows security event logs compared to Windows Event Viewer for few reasons:
Scalability: Windows Event Viewer is limited in its ability to handle large volumes of data. With large deployments or long-term data retention, it can become slow and cumbersome. Elasticsearch, on the other hand, is built for handling massive data sets and can efficiently analyze large volumes of logs.
Advanced querying and filtering: Windows Event Viewer offers basic filtering options, but Elasticsearch provides a powerful query language (KQL) for advanced filtering, aggregation, and analysis. This allows you to quickly identify specific events or patterns within your logs.
Visualization: Elasticsearch allows you to create rich dashboards and visualizations to better understand your security data. This can help you identify trends, anomalies, and potential threats much faster than manually sifting through logs.
Comments