Endpoint data

What data do you need?

  • Antivirus logs

  • HIDS/HIPS

  • Host-based firewall

  • Event logs

Antivirus logs

Antivirus software is a type of security software that is designed to detect, prevent and remove malicious software, such as viruses, worms, Trojans, spyware and adware. Antivirus software uses the following techniques to identify and block malicious software

Host-based AV

  • Allows antivirus detection for individual machines

  • Custom rules can vary for each system

Signature detection

  • Uses known-malicious attributes to detect malware

Behavioral/heuristic data

Machine learning

  • Knowledge of algorithms

  • Base data to build initial knowledge pool

HIDS/HIPS

HIDS (Host-based Intrusion Detection System)

  • HIDS is a security solution that is designed to detect potential security threats and attacks on a host system

  • HIDS software is installed on a host machine, and it monitors the system for suspicious behavior, including changes to system files, unauthorized access and malware activity

HIPS (Host-based Intrusion Prevention System)

  • HIPS is designed to prevent malicious activity from occurring on a host system

  • Like HIDS, HIPS software is installed on a host machine, and it uses various techniques to prevent unauthorized access and malicious activity, including behavioral analysis, application control and network intrusion prevention

  • HIPS can also block unauthorized changes to system files, monitor network traffic and prevent malware from executing on the system

Host-based firewalls

Host-based firewalls provide granular visibility and control over network traffic on individual computer systems

  • By analyzing firewall logs, a threat hunter can identify and investigate potential security threats and anomalies on a host-by-host basis

  • Host-based firewalls can be configured to log all network traffic, including allowed and blocked traffic, as well as traffic that is specifically targeted by firewall rules

  • By reviewing firewall logs, a threat hunter can identify patterns and anomalies in network traffic that may indicate security threats, such as unauthorized access attempts, malware infection or suspicious network activity

  • Firewall logs can also be used to track user activity on individual systems, monitor changes to system configurations and identify network-based attacks targeting specific hosts

Event logs

Windows event logs

Event logs are records of system event that occur on a computer or network, such as login attempts, software installations, system errors, etc

  • Event logs are stored in a structured format that includes information about the event, such as the time it occurred, the source of the event and the type of event

The common types of event logs include:

  • Security logs: These logs record security-related events, such as successful and failed login attempts, changes to user accounts, etc

  • Application logs: These logs record events related to application performance and errors, such as software crashes and application errors

  • System logs: These logs record events related to the system, such as system startup and shutdown, hardware failures and driver errors.

Linux event logs

Linux log locations

  • Most common/important logs

    • System process log - /var/log/syslog

    • General system messages - /var/log/messages

    • Authentication log - /var/log/secure (or auth.log)

    • System boot log - /var/log/boot.log

  • Locating logs using the command line

    • Navigation using the command line - cd and ls

    • Most logs located at /var/log

Logging on Windows and Linux

Main differences between platforms

  • Windows

    • Event Viewer provides stability

    • Event Log (EVT) format

    • Use Event Viewer to read

  • Linux

    • Log variation based on distribution

    • TXT format

    • Use less, car or a text editor to read

PreviousNetwork dataNextSecurity information and event management (SIEM)

Last updated