How to Monitor Network Activity with the Windows Security & Firewall Logs to Detect Inbound and Outbound Attacks


Except for physical intrusion, most attacks target the network in various ways. By monitoring network activity we can determine whether it's if a bad guy simply “knocking at the door”, late state information exfiltration, and everything in between.

There are a variety of network based products that capture packet traffic; however watching traffic from the point of view of the OS provides a different perspective plus additional context that isn't available from packet analysis.

Windows provides a wealth of informative log data to help you do just that – mostly from Windows Firewall with Advanced Security, which is in all current versions of Windows. Even if you don’t use Windows Firewall to protect your systems, you can still leverage its logging which is one of the first things I'll show you how to do in this real training for free ™ webinar.

Then we’ll dive into the events in the Windows Security Log itself and Windows Firewall log which, is a separate text based log file. I'll show you how to enable both types of logging. Next I'll explore the events that are logged and explain how to interpret them. Some of the events we'll discuss are

  1. Successful inbound connections
  2. Inbound connections refused
  3. Packets drops
  4. Successful bound connections
  5. Outbound connections refused

Then we’ll take a real-world situation and identify the different ways to apply the events and knowledge to work in order to troubleshoot a variety of security scenarios. For example you'll learn how to detect:

  • Scans being run by malware embedded on a compromised endpoint
  • Attempts by backdoor rootkits and malware to communicate with command and control servers
  • Intrusion attempts by malicious insiders or APTs 

Sifting through the amount of data we are talking about requires a solution with robust log collection and correlation features. Therefore, our sponsors, SolarWinds, has agreed to let me use their Log & Event Manager solution to perform the tasks and analysis I described above. 

This will be a highly technical and practical training event. Please register now!



Additional Resources