Hal Pomeranz · Mar 28, 2022 · 2:24 AM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

28 Mar 2022

My DFIR happy place is a Windows event log with 4688 events. Third-party IR consulting teaches you to have modest expectations at best.

AGorecki · Mar 28, 2022 · 2:57 PM UTC

AGorecki @ThisIsAGorecki

28 Mar 2022

@hal_pomeranz How often do you see the Event ID configured in enterprise environments? 4688 is great to have on servers with relatively few processes spawned. Also, in your experience, how verbose are the logs?

Hal Pomeranz · Mar 29, 2022 · 1:32 PM UTC

Hal Pomeranz · Mar 29, 2022 · 1:32 PM UTC

Hal Pomeranz @hal_pomeranz

29 Mar 2022

Replying to @ThisIsAGorecki

Rarely-- but that's partially because of my role as a third-party. Sites that are mature enough to have enabled this event also likely have in-house IR capability, so I'll almost never visit them.

Mar 29, 2022 · 1:32 PM UTC

AGorecki · Mar 29, 2022 · 2:15 PM UTC

AGorecki @ThisIsAGorecki

29 Mar 2022

Replying to @hal_pomeranz

I often advise clients to ask their IR teams about what logs they need for forensic analysis and investigations, and include them in their system configuration requirements. There are so many valuable event types I still see missing in the field.