Randy Franklin Smith's
Security Log Secrets Training
Frequently Asked Questions
Why do I need this course? Isn't the security log documented
by Microsoft and other sites?
For most events, Microsoft’s documentation simply restates the static text of
the event's description. While some information does exist, it's riddled with
inaccuracies. Most important, there is insufficient guidance and very little
background information for individual events, nor are events described in
context with other events. There are no suggested courses of action.
Other sites are valuable but only provide basic information about individual
event IDs.
To perform any substantive analysis, auditing or monitoring you need to
understand the relationship between related
event IDs,
know the patterns to look for and how to relate
event IDs
to their respective control areas in Windows security configuration.
What versions of Windows security logs are covered?
The on-site training fully covers
Windows Server 2000, 2003 (including XP) and 2008 (including Vista). The
2008 security log is completely new: all new audit categories and completely new
event IDs.
SLS - Interactive Edition is currently only available for Windows Server 2003.
Can on-site training be adapted to just cover 2000/2003 or just 2008?
Yes
Ask a question or
request a detailed course outline.
Will this course help me with compliance efforts?
Yes, you will learn how to glean key types of compliance monitoring data such as
change control, changes in privileged access and authority, unauthorized
attempts to access confidential information or modify financial data.
We just purchased a security log management solution. Aren't its pre-built
alert rules and reports good enough?
There are many security log management solutions on the market that offer good
infrastructure technology for managing the security log. However software
developers are good at developing software but are not experts on the cryptic
Windows security log. Consequently most pre-built alert criteria and
reports are proof-of-concept examples or at best they help you gather the low
hanging fruit.
Ask a question or
request a detailed course outline.
How did Monterey Technology Group develop Security Log Secrets?
Randy Franklin Smith, CEO of Monterey Technology Group, Inc., began researching
the Windows security log in 1998 for a client project. Due to the lack of
accurate documentation, Randy reverse engineered every
event ID
in the security log along with the codes and other detailed fields within each
event.
Along the way Randy developed an understanding of events in relation to each
other and been able to link user and administrator level actions with patterns
of events. Since then he has provided design consultation to developers of event
log monitoring products and written over a dozen articles on the subject,
several of which now reside on Microsoft’s Technet website.
Because of constant interest from readers, Mr. Smith decided to create Security
Log Secrets as an in-person venue for sharing the results of years of research
and helping attendees implement effective monitoring, compliance auditing,
forensic analysis and intrusion detection.
Next: