No video
How To Use The Windows Event Viewer For Cyber Security Audit
Рет қаралды 102,964
Күн бұрынHow do you view system event logs on a Windows operating system?
Start learning Cybersecurity today! ➡️ www.cybertrain...
In technology jobs, there is an overwhelming pressure to aggregate event logs for all systems in a single location. What happens when we have a security incident or need to troubleshoot an individual system that might not be connected to the network? With the Windows Event Viewer, we can view the local events even if the system is isolated. I am not saying that you will need to do this frequently in most environments, but there will be times in your career where you need this skill.
In this video, I am going to walk you through using the Windows Event Viewer so that you can analyze an individual system’s event logs. I will also show you how to filter specific events by ID, by log, and by application for additional flexibility. Do not let this simple task hold you back in your career!
Learn About Microsoft Server: amzn.to/3ehKBpr
Windows PowerShell Cookbook: amzn.to/3fZldp5
Learn Windows PowerShell in a Month of Lunches: amzn.to/3i7TqoC
Learn PowerShell Scripting in a Month of Lunches: amzn.to/2Z6tfps
Blog Post: www.jongood.co...
Make sure to watch the rest of the series on Windows Training For Cyber Security to better prepare you for joining the industry! • Windows Training For C...
=============================
Today’s Video Sponsor
=============================
Are you interested in sponsoring content? ➡️ jongood.com/sp...
=============================
Popular Cybersecurity Resources
=============================
Getting Started Resources & Free eBook ➡️ www.jongood.co...
Cybersecurity Q&A ➡️ • Cyber Security Q&A
Cybersecurity Projects ➡️ • Projects (Cybersecurity)
Cybersecurity Training & Career Services ➡️ www.CyberTrain...
=============================
Cool Tech that I Use in My Studio
=============================
Gear List ➡️ jongood.com/aff...
=============================
Connect with me!
=============================
LinkedIn: ➡︎ / jongoodcyber
Twitter: ➡︎ / jongoodcyber
Instagram: ➡︎ / jongoodcyber
⏰ Timecodes ⏰
0:00 How To Use The Windows Event Viewer For Cyber Security Audit
2:13 Opening the Windows Event Viewer
3:20 Alternate way to open the Windows Event Viewer
4:01 Filter Event Logs
5:15 Custom Views For Event Logs
7:05 Question of the Day (QOTD)
=============================
#WindowsEventViewer #WindowsBasics #WindowsSecurity
DISCLAIMER: I am an ambassador or affiliate for many brands referenced on the channel. As an Amazon Associate, I earn a commission from qualifying purchases.
DISCLAIMER (MUSIC): I only use royalty-free music and sound effects.
@JonGoodCyber 4 жыл бұрын
Resources to Learn Windows: -Learn About Microsoft Server: amzn.to/3ehKBpr -Windows PowerShell Cookbook: amzn.to/3fZldp5 -Learn Windows PowerShell in a Month of Lunches: amzn.to/3i7TqoC -Learn PowerShell Scripting in a Month of Lunches: amzn.to/2Z6tfps
@larkirwan9568 3 жыл бұрын
I am studying for my Comptia A+ exam and this video helped me understand something I was unclear on. Thank you.
@JonGoodCyber 3 жыл бұрын
Glad it helped and you are welcome!
@jswift5300 2 жыл бұрын
Sorry Jon, I like the way you present your videos I just assumed what you would be sharing would be more focused on what logs we would need to be investigating. For instance, the Firewall Log, the DNS log, obviously the Security log etc. Other than that, you present well, are clear and concise and can't fault you!
@JonGoodCyber 2 жыл бұрын
The purpose of this video was really to provide an introduction to using the event viewer because unfortunately audits themselves can vary a lot in what the auditor wants to see. There might be follow up videos to this but i couldn't put everything into one video since it would be way too long. Thank you for watching!
@jswift5300 2 жыл бұрын
@@JonGoodCyber Appreciate the response. Please don't see this as "trolling" or anything, I just made an assumption that it was digging in to the finer detail. I can't fault your delivery though! Very good / concise. Cheers.
@JonGoodCyber 2 жыл бұрын
No worries! I appreciate the feedback because it helps me identify topics for future videos.
@jswift5300 2 жыл бұрын
@@JonGoodCyber Cheers. Appreciate I came across arrogant and didn't mean to! Enjoying some of the sessions though so, please don't stop making content!
@JonGoodCyber 2 жыл бұрын
I didn't take it that way and I always appreciate feedback and comments!
@benarroyo 3 жыл бұрын
This video helped me understand event viewer better, thanks!
@JonGoodCyber 3 жыл бұрын
Glad it helped and you are welcome!
@raymundofantastico 2 жыл бұрын
Me too! But I there's something I have always wondered, how do you view upload and download history on Windows 8.1 and Windows 10? Always wanted to know because of my tendencies and frequent activites 😆
@OkekeIfeoma-k1h 20 күн бұрын
Hi, Kindly be of help, how do I perform log analysis on Windows OS and Windows server
@JonGoodCyber 20 күн бұрын
I recommend rewatching this video as this gives you a good introduction on how to perform a log analysis.
@tendimukhodobwane5915 Жыл бұрын
brief and precise, i didint know how to use event viewer until i saw this video
@JonGoodCyber Жыл бұрын
I'm glad that the video was helpful and thank you for watching!
@halfdemon88 Жыл бұрын
Also bears mentioning that you can add MMC snap-ins to view logs on remote computers in a domain. Super convenient as an admin
@JonGoodCyber Жыл бұрын
Yep absolutely and thank you for sharing!
@Ash-vi8yr.... 11 ай бұрын
I 💜 this videooo...
@JonGoodCyber 11 ай бұрын
I'm glad that you enjoyed it!
@user-xp4tw2ye8u 9 ай бұрын
Why does security SPP will occur in windows 10 & why does it completely shuts down all the applications in my system at that moment
@JonGoodCyber 9 ай бұрын
I recommend starting out with the official Windows documentation and then possibly checking the forums to see if somebody has a similar problem with a fix. learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp
@kenstart6 Жыл бұрын
Can we get the Event Log of a computer remotely ?
@JonGoodCyber Жыл бұрын
You certainly can: learn.microsoft.com/en-us/host-integration-server/core/how-to-select-computers-in-event-viewer1
@dariowins Жыл бұрын
Can you tell us how can we convert the time format to UTC, for example, when we find a event Id and we have to write it in the forensic report it's very common to write the date and time in UTC format.
@JonGoodCyber Жыл бұрын
I recommend checking out this discussion thread: learn.microsoft.com/en-us/answers/questions/409485/event-viewer-entries-timestamp
@johnvardy9559 Жыл бұрын
Hi John great video,after 3 years need t know somebody all of these stuff ?
@JonGoodCyber Жыл бұрын
Glad it was helpful! This is information that you should know very early on in your cybersecurity journey.
@johnvardy9559 Жыл бұрын
@@JonGoodCyber yes but if you use splunk or siem tools you dont need this one or?
@JonGoodCyber Жыл бұрын
@@johnvardy9559 you are correct in that typically in most environments, this kind of stuff will be done in a SIEM tool (i.e., Splunk, LogRhythm, etc.) but you absolutely need to know how to do it on a local system too. This is especially true for any type of technical role.
@ofek_11 Жыл бұрын
Hope its still relevant,i have a question to disable real time protection and find the event id(sounds simple) but when i do that the event id doesnot appear.. even when im in the local(configuration) any suggestions?
@JonGoodCyber Жыл бұрын
The first place I recommend referencing is the official Microsoft documentation ( learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide ).
@doctorsaikia4647 Жыл бұрын
Hi Is there any way to know what files are being copied from my laptop to a USB drive. It's timestamp and what folder or file copied... OR If copy log present in the system.
@JonGoodCyber Жыл бұрын
I recommend checking out this article on Microsoft: learn.microsoft.com/en-us/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices
@kwsrchoudhury Жыл бұрын
Thanks! Gotta investigate a laptop tomorrow
@JonGoodCyber Жыл бұрын
You are welcome! Hope it's nothing too crazy but good luck either way.
@toukio_ 10 ай бұрын
Very informative, thanks for sharing Jon.
@JonGoodCyber 10 ай бұрын
Glad it was helpful!
@alqahtanirakan-cm5736 Жыл бұрын
Explain the concept of logging? where are they located in windows and linux? sho b w an example of failed login logging in windows event viewer
@JonGoodCyber Жыл бұрын
After watching this video, you'll know exactly how to review Windows events so once you've identified the event ID that you need ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ) then it's simple to filter based on that. 4625 is log on failures.
@abdullahalrawi1491 3 жыл бұрын
Hi , i have to define self 3 logging events that can be handy to trace security breachers, and who may see the logging, where is the logging stored en de data van the event,, how, who what, where why when ... i don’t understand what i should do and where should i search could you help me with one of those three, i have a bad teacher 😢
@JonGoodCyber 3 жыл бұрын
Here are two resources to get you started: - www.beyondtrust.com/blog/entry/windows-server-events-monitor - www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
@puazuzu4958 Жыл бұрын
Hi Jon, thank you for the video :)! I have a question about this. The event ID 4698 and the events of schtasks i can't see them, ¿why is it not displayed in the event viewer? Thank you!
@JonGoodCyber Жыл бұрын
One of the best places to start with is the official Microsoft page for the event ID: learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
@petrmilota6398 3 жыл бұрын
completing case in Immersive Labs for Hafnium events.. well - we will see if this helps :D we can use only Event Viewer
@JonGoodCyber 3 жыл бұрын
Awesome...let me know how it goes!
@interfuze9470 2 жыл бұрын
I have a question and went to event viewer and few month ago I downloaded this application called solidworks. I deleted the application for solidworks but in the event viewer there is still a log file for SW any help? I just want to delete that log file. It’s under application and services 😭 I hate downloading school stuff on my personal gaming PC. I don’t want to clear the log I want to delete that log file***
@JonGoodCyber 2 жыл бұрын
Log files are files stored somewhere on your system so you just need to find where it's being stored and remove it. You could always clear whatever is in there too but a leftover log file isn't really impacting your system unless it's massive in size.
@bethiaktar758 8 ай бұрын
Very informative, thanks for sharing #Jon Good. From Bangladesh
@JonGoodCyber 8 ай бұрын
I'm glad that you enjoyed it!
@mrxenosith8023 Жыл бұрын
Hello Jon, i noticed that the event viewer no longer displays the username. how can we get the username for the event logon and logoff?
@JonGoodCyber Жыл бұрын
What exactly do you mean it no longer displays the username? I'm assuming you're referring to the column and if that's the case then you can right click on the name of one of the columns and add whichever ones that you'd like.
@vtcl1 2 жыл бұрын
I have come across some events that occurred during the wee hours of the morning while I was sleeping. Is there a way for me to find out its location?
@JonGoodCyber 2 жыл бұрын
Yes! Search google for the ip address and it will give you more information.
@teerich2011 Жыл бұрын
Thank you Jon. That was Good!
@JonGoodCyber Жыл бұрын
Glad you enjoyed it!
@IvarsRuza 3 жыл бұрын
how to collect and analyze i kmow but gow to store for future forensics is nuts for 3k maschines
@JonGoodCyber 3 жыл бұрын
Storage is definitely a major issue when it comes to logs. Sometimes you have to be selective about the events and information that you collect.
@invest_9361 Жыл бұрын
Hey Jon, I suspected someone was on my PC uninvited. I went to look at my event viewer logs and they have been cleared! I did not do this, could you help me out? Trying to figure out when they where cleared and when someone was on my PC, gods knows whats been installed. Can anyone help?
@JonGoodCyber Жыл бұрын
I recommend watching this video again because I walk through how to filter event logs being cleared. If you need to go deeper into memory you will want to research a digital forensics training course.
@invest_9361 Жыл бұрын
@@JonGoodCyber I did just recently change a setting in the registerey keys. It was for processes to keep them low on windows, since I game. Could that be affecting the event viewer?
@JonGoodCyber Жыл бұрын
I'm not sure what you mean by you changed registry keys as clearing the logs requires a high level of privilege to perform. If the event logs are gone (cleared) then your only possible option to recover them is using digital forensics. If you cannot view the events in the event viewer and they are still there, then you don't have the right level of access.
@openworldgamedevjontyin2242 3 жыл бұрын
thank you for your help...
@JonGoodCyber 3 жыл бұрын
You're welcome!
@vtcl1 2 жыл бұрын
I have another question, Jon: Under the Task Category, I don't see Logon or Special Logon. I'm only seeing User Account Man... Does this mean that no external individual has logged onto my system?
@JonGoodCyber 2 жыл бұрын
If you have logon event auditing enabled then you will see any events related to it. docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
@tatvikgujar5890 4 ай бұрын
you missed the easiest way to open event manager. just open server manager then go to the tools in the top most section and look for event viewer. Thats it.
@JonGoodCyber 4 ай бұрын
Like most things, there are several ways to accomplish the same objective.
@tatvikgujar5890 4 ай бұрын
@@JonGoodCyber yup one should always be open to new and easy ways.
@FM-zp2hl 4 жыл бұрын
good content here, trying to do forensics on a windows event log file but it is really challenging, do you have any information how i can perform a step by step detailed forensic on windows event viewer log, thanks
@JonGoodCyber 4 жыл бұрын
Unfortunately I do not have any on hand. Your best bet is to grab a good book or course because that requires you to stay up to date. Here are some resources that might help you though: -Book on Windows Forensics: amzn.to/34LOPUK -Course on Windows Forensics: www.pentesteracademy.com/course?id=23
@FM-zp2hl 4 жыл бұрын
@@JonGoodCyber thanks very much
@flittotech5280 2 жыл бұрын
Thanks for this very interesting vidéo.
@JonGoodCyber 2 жыл бұрын
Glad you enjoyed it!
@Gnrl_Anesthesia Жыл бұрын
Hey jon, Sorry i am learning about this but you are my best shot at getting the proof here. Long story short, some of the veryyy imp files have been deleted from google drive and even from trash. I know who did it from my laptop when i was away, it does say I deleted it because laptop had g-drive logged in. I am in reallll trouble now. All i want is a proof that my laptop was used between X-Y dates so that i can prove my innocence. I already am down the rabbit hole and i have reached here. Please guide me if this can be done from event viewer. All i want is confirmation that laptop was used during the dates when i wasn’t around. Even better if we can see someone opened g-drive.
@JonGoodCyber Жыл бұрын
I recommend reviewing the audits for any logon or logoff type events on your system. You can find the event IDs required here: www.ultimatewindowssecurity.com/securitylog/encyclopedia/
@sonyi1967 Жыл бұрын
Q: I got a Kaspersky file on windows log and I cam get rid of it to install a different antivirus.
@JonGoodCyber Жыл бұрын
I recommend visiting the vendor's website for instructions on uninstalling the software.
@abineshms3759 2 жыл бұрын
how to display those security events using c or c++ program
@JonGoodCyber 2 жыл бұрын
Great question...have you researched how to do this? I think PowerShell is still going to be the easiest method if you want a command-line option.
@kcalderon03 2 жыл бұрын
Hello. Do you have a reference you would recommend for looking up event ID’s? Thanks
@JonGoodCyber 2 жыл бұрын
Here is the site that I recommend: www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
@kcalderon03 2 жыл бұрын
@@JonGoodCyber thank you sir!
@JonGoodCyber 2 жыл бұрын
@@kcalderon03 no problem. Glad to help!
@danh.902 3 жыл бұрын
I posted a comment to social media and it got someone mad. I walked away from my pc for about an hour , and when I came back I tried to log back into the social media site , I could not. My password was incorrect. I had to reset it using my phone. Can I use the event viewer to fond out if someone logged onto my PC and did something. I have a few : 4624 Logon 4672 Special Logon *** SEVERAL 5379 User Account Management 5058 Other System Events 5061 System integrity 4826 Other Policy Change Events 4696 Process Creation Is there a way to tell me if someone was on my PC remotely or how they messed with my Facebook password ?
@JonGoodCyber 3 жыл бұрын
You will find this website ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx ) of tremendous value. You would be able to determine if there was a remote login but you couldn't see the web application logs for Facebook itself. For Facebook, you would need to reach out directly to them because only they could review the actions taken on the site.
@danh.902 3 жыл бұрын
@@JonGoodCyber Thank You @Jon I DO appreciate it. I WILL be doing ALLOT of reading it seems over the next few days. As for going to Facebook , I did think about doing that when he replied to my post in a public area , but figured that sense he told me outright that he did what he did with something like Facebook , I didn't want to get him even more upset at me. I'd like to think that passwords and routers , Avast , ZoneAlarm , Windows Defender and so on , would be enough , but it seems that if someone wants to be disruptive , they will... I AM still gonna try yo see what else I can do in order to AT LEAST make My Family feel a bit safer though...
@JonGoodCyber 3 жыл бұрын
Many times when somebody is able to access an account, it was through social engineering. That means they could have got you to click a link or provide them with information to allow them access. All the tools in the world won't do any good if you fall victim to social engineering. Keep learning about security and improving your defenses!
@mitchelllee6110 3 жыл бұрын
How far back can event logs go as a maximum?
@JonGoodCyber 3 жыл бұрын
If you right click the individual log in the Windows Event Viewer and select properties, you can set the retention log size so theoretically you could store unlimited events. I wouldn't recommend making this value too large because you should be offloading the logs onto a better storage method such as a SIEM and then archiving the log files.
@rohitkalla2623 3 жыл бұрын
After formatting/resetting the pc, will the earlier logs be visible there?
@JonGoodCyber 3 жыл бұрын
If you restart your computer the logs will still be there until cleared. Formatting a PC involves wiping the system clear and therefore you would lose the logs in that situation.
@rohitkalla2623 3 жыл бұрын
@@JonGoodCyber thanks for the really quick reply. I actually wanted to know if there's anyway we can tell that the computer has been formatted/reset before. Could you please help me in this.
@JonGoodCyber 3 жыл бұрын
No because the entire computer is wiped and would start from fresh. If just the logs are cleared though, then Windows will generate a system event saying that the logs were cleared.
@openworldgamedevjontyin2242 3 жыл бұрын
how to find unauthorised log on on windows 10 using event viewer or powershell or cmd ... whatever .. i think i am being hacked ... please help
@JonGoodCyber 3 жыл бұрын
In event viewer, you can create a custom filter for any of the logon events you would like to see. A really good resource for event IDs can be found here ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ).
@kristinabrannon3693 2 жыл бұрын
Does event viewer clear it's own logons after so long or do you have to manually clear them out?
@JonGoodCyber 2 жыл бұрын
There are retention settings based on size such as overwriting oldest events first, archive when full (no overwrite), or do not overwrite. You can configure this by right clicking on the specific log (application, security, system, etc.) and select "Properties." You could also run a command with PowerShell to clear the logs, or schedule a task to do so ( docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1 ).
@kristinabrannon3693 2 жыл бұрын
@@JonGoodCyber thank you! Question- when I first downloaded event viewer I saw months of history with logons- I was looking at specifically 4624. I've been trying to see if my roommate has been accessing my profile on our shared computer. Recently, everything has been deleted. I can only see the last 2 days. I think someone went in and cleared the logs. Would event viewer suddenly start only saving the last 2 days of history by itself? Or would someone have to program it to do this? Thank you! I'm not computer savvy but I know enough to know that when one day something is there and the next it's not, it's suspicious.
@JonGoodCyber 2 жыл бұрын
@@kristinabrannon3693 If you don't have logon auditing enabled prior to that then it wouldn't store those events ( docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon ). Also, if logs are cleared then the system will generate an event and it will be present in the new set of logs. A really good website for referencing various Windows events is: www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
@davidmanning1474 3 жыл бұрын
Do you have a brother that does vjdsa out air travel by any chance
@JonGoodCyber 3 жыл бұрын
I don't know what that is but no.
@jibunorufoegbune9567 2 жыл бұрын
Thanks Jon Good
@JonGoodCyber 2 жыл бұрын
No problem and I'm glad that you enjoyed the video!
@itumelengmaaboi8942 Жыл бұрын
Can you also see who deleted files???
@JonGoodCyber Жыл бұрын
Sure if you turn on file system auditing but by default Windows isn't going to show you that information.
@fabriciogarcia6307 4 жыл бұрын
Thanks! for the video! Regards!!!!
@JonGoodCyber 4 жыл бұрын
You are welcome! I'm glad you enjoyed the video.
@BrianThomas 2 жыл бұрын
Wow. You’re Good
@JonGoodCyber 2 жыл бұрын
Thank you and I'm glad that you enjoyed the video!
@shehzadarshad2000 2 жыл бұрын
Nice video bro i am also an IT guy
@JonGoodCyber 2 жыл бұрын
I'm glad that you enjoyed the video and welcome!
@lyseachung5613 5 ай бұрын
How can I remove specific events from the event log?
@JonGoodCyber 5 ай бұрын
That is outside the scope of this video and typically if you are trying to remove events...that's probably not for a good reason.
@waydownwergoing Жыл бұрын
Hi my friend. I am trying write script for task scheduler for sending realtime all logs to telegram channel. can you help me?
@JonGoodCyber Жыл бұрын
I recommend checking out Google because there are plenty of tutorials out there already that came up with a simple search.
@waydownwergoing Жыл бұрын
@@JonGoodCyber i checked it but only fond script for logon. But not for other events
@ruslanmamedaliyev3912 3 жыл бұрын
please tell me how can i see which files did my windows defender skip during the scan with the help of event viewer or with other ways? please explain step by step
@JonGoodCyber Жыл бұрын
I recommend looking at your Windows Defender logs.
@SaiyanParmos Жыл бұрын
Thank you for this post. Some times if feels better to jump in as you just did but for trying Splunk or DeepBlueCLi
@JonGoodCyber Жыл бұрын
I'm glad that you enjoyed the video!
@billyc7273 3 жыл бұрын
How do you filter the result based on content of EventData?
@BlackPerl 3 жыл бұрын
Probably for doing this kind of search you can use LogParser 2.2 application and then run a SQL query on your event data to fetch out the content what you are looking for.
@JonGoodCyber 3 жыл бұрын
You can use XML to do some additional filtering. Here is a good article: techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761
@openworldgamedevjontyin2242 3 жыл бұрын
bro i need help ... how to find unauthorised logon windows 10 !!! i thing some one is hacking me !!! please help !!
@JonGoodCyber 3 жыл бұрын
In event viewer, you can create a custom filter for any of the logon events you would like to see. A really good resource for event IDs can be found here ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ).
@openworldgamedevjontyin2242 3 жыл бұрын
@@JonGoodCyber thank you soo much
@karoz07 2 жыл бұрын
Thank You very much for this grate information...!!! In my computer shows to many times the ID 4672 Special Logon and ID 4624 Logon and I don´t know if this means tha some from out side is looking my personal information or it is just a simple thing from Windows Event...!!! Will you be so nice just to let me know if this could be dangerous or not...!!! I will appreciate so mucho...!!! I send you a big hug from México City...!!! God Bless You Always...!!!
@JonGoodCyber 2 жыл бұрын
Every situation is different but I would recommend checking out the below resources on those specific event IDs to get you started in your research. www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624 www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672
@spitballproductions 2 жыл бұрын
how can you do this using Autopsy?
@JonGoodCyber 2 жыл бұрын
The purpose of this video isn't to go deep into Windows forensics but perhaps I'll add that to the list for a future video.
@spitballproductions 2 жыл бұрын
@@JonGoodCyber please do. I am working on some homework for a digital forensics class and I have no Idea what I am doing. In the dark without you. Thanks mate.
@vtcl1 2 жыл бұрын
This is an excellent video. Is it a red flag to see several deleted events at the end of the list? My laptop is used only by me
@JonGoodCyber 2 жыл бұрын
Any time that you are missing logs or have deleted events and it wasn't authorized, then it should be a concern.
@vtcl1 2 жыл бұрын
@@JonGoodCyber Wow! Thank you. Do you think that changing my IP address would help?
@vtcl1 2 жыл бұрын
@@JonGoodCyber Should I also be concerned about the listening events? Does this mean that people are listening in?
@JonGoodCyber 2 жыл бұрын
Changing the IP address might help but I would recommend you get a good anti virus or anti malware software. As far as listening ports, you would have to research the ports after you scan your system with the anti virus software because they may or may not be malicious.
@vtcl1 2 жыл бұрын
@@JonGoodCyber Thanks a bunch
@GarageGuyCarl 2 жыл бұрын
How can I filter logs by date(s)?
@JonGoodCyber 2 жыл бұрын
PowerShell might be your quickest and efficient method: social.technet.microsoft.com/Forums/lync/en-US/f552d3fa-01e8-4949-ba2b-fc172bff9175/filtering-event-logs-with-specific-date-range?forum=winserverpowershell In the Event Viewer, you can either sort by the date column, or you could edit the XML of the actual search.
@GarageGuyCarl 2 жыл бұрын
@@JonGoodCyber Nice and Thanx
@sabharinathan2989 3 жыл бұрын
Event Id 4740 not present in event viewer security log
@JonGoodCyber 3 жыл бұрын
If there isn't an event ID in your log then it hasn't occurred. Specifically 4740 is for user accounts being locked out. Here is a reference article: www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
@manthing1467 4 жыл бұрын
I've been thinking of making a security audit script via powershell. Eventually I'll get around to it. Know of any good open source SIEM tools?
@JonGoodCyber 4 жыл бұрын
Here are a few for you: -AlienVault OSSIM: cybersecurity.att.com/products/ossim -SecurityOnion: securityonion.net/ -Elk Stack: www.elastic.co/what-is/elk-stack
@mojed6666 4 жыл бұрын
Yeah wazuh wazuh.com/
@mojed6666 4 жыл бұрын
Siemmonster siemonster.com/
@JonGoodCyber 4 жыл бұрын
Interesting...I hadn't heard of either of those before. I'm sure like a lot of the different tools that all the cool stuff requires a subscription but at least there are some options to learn things.
@mojed6666 4 жыл бұрын
@@JonGoodCyber with Wazuh all the cool stuff is available for everybody.and you can give it a quick try with the docker version documentation.wazuh.com/3.13/docker/wazuh-container.html
@phabeondominguez5971 4 жыл бұрын
Isn't there tools or apps that translate event viewer logs into more readable formats for us puny humans? I want to say it's something about SYS INTERNALS? heck can ya do a video on that? Both converting errors logs into readable formats and a video on Sys Internals?
@JonGoodCyber 4 жыл бұрын
There are definitely more tools that I will be doing videos on but this particular video is to help people walk before they run. Thank you for the requests!
@phabeondominguez5971 4 жыл бұрын
@@JonGoodCyber gotcha, I'll rewatch it then as maybe I missed "it" as I still jus see Event Viewer as error logs but still unsure as how to decipher them?
@JonGoodCyber 4 жыл бұрын
The Event Viewer is definitely not just for error logs. Essentially what your SIEM tool and other analysis tools do is take the raw events and make them easier to comprehend/correlate, especially at a larger scale. One important point is that we aren't just looking for failures or errors because there are successful events that should generate alerts depending on the environment. Think about if you had a production environment that operated during certain hours of the day but then all of a sudden you had people logging in at "strange" hours when nobody is around. A great resource for Windows Event IDs is this website ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx ).
@phabeondominguez5971 4 жыл бұрын
@@JonGoodCyber gotcha, so no wonder a while back I had black screen blip for 2 secs but wasn't finding anything in Event Viewer. Thanks for the link, will check that out. oNe
@JonGoodCyber 4 жыл бұрын
No problem!
@sampannashrestha973 3 жыл бұрын
Good Content :)
@JonGoodCyber 3 жыл бұрын
Glad you think so!
@khalfanhinai5798 4 жыл бұрын
Hi jon good Do i need to to be a developer to enter cyber security field
@JonGoodCyber 4 жыл бұрын
Knowing how to program and code will definitely open more opportunities for you, however not all jobs require those skills. I would check out the video I made on Programming in Cyber Security for more information ( kzfaq.info/get/bejne/hJ55db17x8XRdHk.html ).
@khalfanhinai5798 4 жыл бұрын
@@JonGoodCyber thanks bro
@JonGoodCyber 4 жыл бұрын
No problem!
@watteau6646 3 жыл бұрын
I was hoping for explanation of the many diff types of event IDs . But I guess like most videos, we are expected to just "google it" and go into rabbit holes. OK video for learning basic EV navigation, that's all. Too much self-promo at the start. No real "cyber security" information.
@JonGoodCyber 3 жыл бұрын
This video was not meant to be an all encompassing security analysis of a system. The purpose is to teach how to use the Event Viewer because like anything in Cyber Security, there are variables that make every situation different. If you are interested in specific event IDs, there is a really good resource here ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ). I do have future videos planned that will cover specific things to look for but we have to start with the basics. Thank you for viewing and I appreciate the feedback!
@watteau6646 3 жыл бұрын
@@JonGoodCyber Thanks for your response. Looks like a very useful link, too. Thanks!
@XQYrCDV11 3 жыл бұрын
leaving a coment for the youtube algorithm
@JonGoodCyber 3 жыл бұрын
Thank you and I appreciate the support!
@pidaparthysurya4373 2 жыл бұрын
HOW TO TAKE AD AUDIT LOGS FOR 3-6 MONTHS
@JonGoodCyber 2 жыл бұрын
There is a retention setting for Windows logs that you can modify but it's based on size of the log ( helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html ). If you are in an environment using Active Directory though, a best practice would be to use a SIEM tool like Splunk to forward the logs to a central solution where you can utilize more storage. We also would want to archive the raw log files so that we can go back and review them deeper if we need to.
@brownoforrington8310 3 жыл бұрын
How do I find an IP Address of an intruder and block payloads?
@BlackPerl 3 жыл бұрын
Probably for doing this kind of search you can use LogParser 2.2.. A query like below would help to find out from an IP address- "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"
@JonGoodCyber 3 жыл бұрын
Ideally you would be using a host intrusion prevention (or detection) system such as Snort or a similar type of tool that will store that information in an easier to consume format. Complex queries using the event viewer typically isn't going to be the best path.
@sykanji9816 8 ай бұрын
my guy
@JonGoodCyber 8 ай бұрын
I'm glad that you enjoyed the video!
@v0ver 5 ай бұрын
Windows tutorials without indian, a bit confusing for me ;]
@JonGoodCyber 5 ай бұрын
I'm not sure what you mean by "without indian" but you can certainly watch the video as much as you need.
@warronfrench8163 2 жыл бұрын
0% audio. I tried other videos and they worked.
@JonGoodCyber 2 жыл бұрын
The video definitely has audio so I would check your settings.
@Dot0707 2 ай бұрын
Everyone clicking on this video because someone touched something they weren't supposed to
@JonGoodCyber 2 ай бұрын
Not everybody is doing things that they shouldn't be doing...
@MrSouthsideMuscle 2 жыл бұрын
Onboard system software is dece enough
@JonGoodCyber 2 жыл бұрын
You can definitely accomplish a lot with built-in functionality and software, however external applications frequently enhance or add to that functionality. Additionally, built-in applications don't work well when you have to start looking at several, hundreds, or thousands of systems.
@MrSouthsideMuscle 2 жыл бұрын
@@JonGoodCyber Definitely I would imagine a complex system network requires specialized software for ease of viewing
@dbcnewstv 2 жыл бұрын
Waste of my time
@JonGoodCyber 2 жыл бұрын
Sorry to hear that but thank you for watching!
@paulobazzo5650 2 жыл бұрын
Sorry but this video is a joke
@JonGoodCyber 2 жыл бұрын
I am always open to feedback on how to improve content and presentation but just saying something is a joke does not help.
SANS Digital Forensics and Incident Response
Рет қаралды 81 М.