Windows Event Logs contain a wealth of security-related information. These logs capture crucial events such as device network activity, process creations, and system changes. This data is powerful for incident response and threat hunting.

Querying Windows Event Logs helps identify suspicious activity quickly.

Incident response examples:

• Trace failed or unusual logon attempts to identify potential unauthorized access.
• Investigate the creation of suspicious processes that may indicate malware execution.
• Detect changes to critical system settings or security configurations.
• Identify unauthorized access to sensitive resources.

Threat hunting examples:

• Query for unexpected user account activity or privilege escalation attempts.
• Search for anomalous process executions or unusual parent-child process relationships.
• Identify spikes in failed logon attempts that could indicate brute-force attacks.
• Look for unusual service installations or registry modifications that may suggest persistence mechanisms.

However, due to their scale, Windows Event Logs can present challenges to overcome.

Windows Event Logs can be substantial in volume, often ranging from hundreds of gigabytes to multiple terabytes per day, making traditional SIEM solutions extremely costly. The storage and analysis of these logs in a SIEM can result in considerable expenses, often running into six or seven figures annually.

When dealing with hundreds of terabytes or even petabytes of logs, teams frequently move logs into object storage, like S3, for scalability and cost reduction.

However, to query for a specific event or IOC in logs stored in S3, it can take 12 hours or more to scan data sets of this size using traditional tools like Amazon Athena.

These challenges significantly slow down incident response and introduce inefficiencies into threat hunting processes.

Scanner offers a better approach. By indexing these logs directly in S3, Scanner provides fast, cost-effective search capabilities.

For volumes of 1TB or more, it is common to see cost savings of $500k or more compared to traditional SIEMs by using Scanner to search these logs directly in place in S3.

Incident response and threat hunting teams benefit from Scanner’s speed, particularly for high-selectivity queries like IP address and IOC searches.

For example, finding a specific event or IOC in a petabyte of logs will take tens of seconds, while Athena may take tens of hours.

Imagine a scenario where an analyst on your security team is concerned about potential persistence mechanisms in your Windows environment. They want to proactively identify any unusual service installations or registry modifications that could indicate a malicious actor is establishing persistence.

To address this concern, the analyst decides to look for suspicious activity related to service installations and registry modifications. Using Scanner, they set up detection rules to monitor Windows Event Logs for specific events—such as new services being installed (Event ID 7045) or changes to registry keys that alter startup configurations (like Run keys).

The analyst configures Scanner to track these activities in the Windows Event Logs stored in S3, ready to catch any unusual patterns. A week later, Scanner triggers an alert related to an unusual service installation.

The analyst jumps into action, leveraging Scanner's fast search capabilities to quickly retrieve the relevant Windows Event Logs. They see that a new service named “WinUpdateHelper” was installed on a critical server. The name seems suspicious—it resembles legitimate services but has slight alterations that raise red flags.

Diving deeper, the analyst gathers more details on the event, including the user account that performed the installation and the time it occurred. They notice that the installation took place outside normal working hours and was conducted by a user account that typically doesn't have administrative privileges.

To build a better picture, the analyst uses Scanner to perform a historical search of activities related to the user account over the past few months. They find a pattern of unusual behavior: this user account has recently made multiple attempts to access high-privilege registry keys. Coupled with the suspicious service installation, it appears that a potential persistence mechanism is being established.

Since Scanner can quickly perform searches like this over large amounts of data in S3, this kind of querying over large time ranges is easy to do. There is no need to rehydrate or reingest logs back into a SIEM, which can take several hours and is expensive in terms of both ingest costs and wasted time for the security team.

To continue monitoring the situation, the analyst creates a saved search in Scanner to track all future activities associated with the user account. Additionally, they set up a new detection rule to look for similar service installations across all servers in the environment—aiming to prevent any further attempts by a malicious actor to establish persistence.

The analyst then escalates the findings to the rest of the security team. Together, they decide to disable the suspicious service and reset the credentials for the affected user account. They also begin an investigation to determine if other systems in the environment might have been affected by similar techniques.

Thanks to Scanner, the analyst was able to efficiently detect, investigate, and mitigate a potential persistence threat in the Windows environment—providing a quick response to secure the organization and prevent unauthorized access.

Whether you're responding to incidents or hunting for threats, Scanner can help you quickly get to the answers you need.