Reference no: EM132459751

Windows Security Log Analysis

Using the following log file from a Windows Server, conduct an analysis of the data to report interesting information.

Stage 1 - Analysis You Can See
You may use any tools you would like to do the analysis. I would recommend trying Microsoft Excel as well as Notepad++ (not dumb Windows Notepad). Consider using Tableau for advanced visualizations.

Section A - Review the supplied Windows Security Log.

Report some basic statistics about it to include:
• When is the first event?
• When is the last event?
• Comment on the time stamps in the log file. What time zone are they in?
• How many total events are reported?

Section B - Focus on the events for EventID 4624 only and report the following:
• How many different users (as opposed to computers) log on to the network?
• Which users log on more times than other users?
• Make a frequency chart of when this user logs in.

Section C - Focus on the events for EventID 4625 only and report the following:
• How many times is this EventID reported?
• Describe each of these events focusing on the user accounts and computers that were involved.
• What do you think should be done to solve this issue?

Section D - Reporting of tools you used
• Report which software tools you used.
• Identify the methods you used to find the information
• Report and functions, scripts or semi-automated methods you applied in the tools

Stage 2 - Programming

Using a programming language of your choice, write an application to scan through the supplied data file and generate output about each Event ID Type. You may choose Java, Python, or a combination of Bash and Linux commands like grep, awk, and sed. These are potentially powerful commands that can be scripted and linked together with piping.

Section A:
Your program should read the file as input and write an output file. To start, you probably want to create a file reader/writer that simply duplicates the existing file line-by-line.

Section B:
Modify your program to only duplicate lines into your output file that are associated with a specified EventID. Notice that the input file has multiple lines per "event" and the EventID is *NOT* on the first line. Your program can either accept as input from the keyboard which EventID to generate the file for, or you can hard code that into your program as a static variable.
Generate an output file for the Event ID 4624

Section C:
Modify your program to generate a count of the number of times that the event ID occurs. Run your program and generate and output file for Event ID 4625.

Section D:
Modify your program to report the number of times that the given event ID occurs over time. Your program should report the number of times each eventID occurs during each hour. Your output should looks like the following:

2011-04-15T14 20
2011-04-15T15 8
2011-04-15T16 3
2011-04-15T17 29
Etc.

What to turn in
1. A one-paragraph summarization of your analysis. Include the following items. Make sure to write in good analytic style, BLUF, Active voice, short sentences and paragraphs.
2. An overview of the data you were given. When do the data start? When do they end? How many records? (Section 1, Section A)
3. A count of the log on and log off events. (Section 1, Section B)
4. The answers to the remaining Sections of Sections 1 and 2, above - including your list of tools, scripts, code, etc.
5. Identify any events that you think are unusual - these are potential Indicators of Compromise.

Attachment:- Windows Security Log Analysis.rar