How To Use The Windows Event Viewer For Cyber Security Audit

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what good are system event logs if you can't view them in this video i'm going to show you how to view windows event logs using the built-in windows event log viewer application and give you some tips and tricks if you ever have to review them without using a sim tool but first this is the first time that we're meeting welcome to my channel my name is john good and here i get to spread my passion for cyber security training tips and tricks and career advice to help you go further remember to smash the thumbs up to like this video hit the subscribe button and the bell icon so you don't miss future content and make sure to leave a comment for the youtube algorithm if you like my training and you want more check out my website at johngood.com to access full training courses without distracting interruptions or advertisements make sure that you sign up for my newsletter using the link in the description to get your free copy of my ebook on cyber security careers you can also join me on the discord server the link is down in the description all right let's get into the video if you spend any time studying technology or working in the field there's an overwhelming pressure to automate processes and aggregate data review to make things easier to do it makes sense right no question that as the networks that you work on grow in size you've got to use scalable ways of doing things this video subject is a little counterintuitive to that because in cyber security there's situations where you might have to look at a single system in isolation for example if a system is compromised then we might actually want to look at that individual system for indicators of compromise we might also have to perform forensics to discover suspicious or illegal behavior when we look at a single system we aren't going to typically install a full-blown sim or log analysis tool instead the windows event viewer is one of those most basic tools that we can use to review an individual system the windows event viewer is a tool that's built into windows and it lets you view events or alerts from applications the system itself and even security events that you're watching the windows event viewer can also be used by administrators to troubleshoot system issues but as security professionals we use it for deeper analysis of a system's logs when we're looking to open the event viewer to view different logs the first step is to actually launch the event viewer it can be done a few different ways but the easiest way is to go to the start menu and then type event viewer and there we go and we'll just open that up and let me go ahead and resize this here so it's a little bit cleaner now once you launch the event viewer you'll see a few different folders here on the left side the custom views folder allows you to create custom filters based on event ids applications and so on the windows log folder is where standard events are stored and you have three main event logs let's open this up so you can see them but you have application security and system those are three of the major logs for windows each log stores the type of events that it sounds like application holds specific events for software installed security stores security relevant events like log on and log off events and system has everything related to the operating system itself now the second way that you can open this up as well we'll do the similar kind of way by going to the start menu and we'll open up computer management and then on the left side here you'll have the event viewer so two different ways that you can do the same thing i hope that you're enjoying the content in this video so far if you are make sure to hit the thumbs up to like this video and if you think of any questions let me know down in the comments below also remember that this training and full courses can be found on my website at johngood.com without distracting interruptions or advertisements all right let's get back to the content now i'm going to show you how to filter the specific logs for the events that you want to see so i'm going to go ahead and open up the security log here and i don't have any special settings configured so this is just all the default stuff but in order to filter this specific log we're going to go to filter current log and we're actually going to use event ids so i'm just going to take this 4624 this logon event that we see in here and so i go to this line here and i'm going to type in 46 24 because that's the event id we could also do it by application or a lot of different things but we're just going to do it by that event id so you can see that now and then i'm going to hit ok and there we go now it filtered it down it had 583 events and it filtered it down to 94. you can see that they're all that specific event now something else that you can do in there as well you can actually provide ranges of ids or you can also provide multiple so if you had another one that you wanted to put in there you could just put a comma and then whatever the other event is that you want to filter it by next i want to take you through creating a custom view custom views are great if you want to quickly see specific events using event ids or even related to specific applications custom filters can be exported to other systems and then imported on those systems there are two different ways that you can create a custom view the first way is actually filtering that system log like we just did and then we're actually going to save this filter to a custom view and we'll just name this test one okay and then it saves it in the custom view section so then instead of going back to the system log and actually filtering down we can just go to this custom view here and then if you right click the custom view you can export the custom view and it just saves it as an xml file that you would go back into the other computer wherever you're taking it and then you can right click on custom views and import custom view and then find the xml file the second way that we can create a custom view is if you right click on the custom views folder and then you do create custom view and then you can select the specific information if you wanted it to come from the security log specifically and you can drill down here and then you can also enter in the id and everything just like we just did so if we put in 1102 here that is for event logs being cleared and then we would have it in here so if i go in here and then i clear the log that should generate an event for us to see yep and there we go so cleared by the administrator now question of the day what has been your experience with windows event viewer did you even know that it existed let me know down in the comments below in this video we focused on using the windows event viewer to review local system logs remember if there will be times in your career where you have to review a single system's events or situations where it just doesn't make sense use an enterprise grade analysis tool as always make sure to leave a like comment and subscribe check out my website at johngood.com for more training without interruptions or advertisements and i'll see you next time [Music] so [Music] you
Info
Channel: Jon Good
Views: 100,370
Rating: undefined out of 5
Keywords: Jon Good, cybersecurity, cyber security, cyber security jobs, cyber security training for beginners, cyber security career, information security, infosec, cybersecurity careers, cyber security analyst, cybersecurity for beginners, cyber security careers, learn cyber security, cyber security tutorial for beginners, cyber security basics, windows event viewer, how to use event viewer, event viewer windows 10, security event logs, event viewer, event logs, windows event logs
Id: -fV7jZwZuGQ
Channel Id: undefined
Length: 8min 0sec (480 seconds)
Published: Sat Jun 27 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.