What the Log?! So Many Events, So Little Time...

thank you so I was being told that this session should be very interactive so I would like to to just jump in and raise your question whenever you like I'm Miriam I currently work as a program manager for Microsoft Defender ATP Microsoft and I used to work as a primer field engineer this is some kind of a consultant before I switch to my current role and this tool was created while working as a PFE and the tool is not supported by Microsoft so if you have any issues about it or feature requests or bugs then please report to me not to Microsoft they won't help you and first of all who was already in the Hat loop

presentation everybody okay some people here most of you not yet so few so I just start from the beginning when I worked as PV with customers I did a lot of security assessments so I just came in to the customer we configured the tool collected some data I worked on the reports and had the presentation in the end so I told the customer what is good in the environment what is not and most of the time there is one big issue and what could that be [Music] say loud the locks yes that goes in through the right direction most of the time customers had no auditing at all so they could not see what happens in their

environment and this is very bad because when the customer tries to attack your organization your environment he she has all the time in the world that the attacker wants to to get information about your environment about your employees who's clicking on links who opens attachments who's the administrator who's the CEO and once the attacker is prepared then well the attack does not take more than 24 to 48 hours until the attacker has hold of your entire environment so Enterprise administrator and if the attacker is Enterprise administrator well what can the attacker do come on people it's it's I know it's early exactly everything and most are the companies they don't detect at all that there is something fishy

going on in their environment and if they are most of the time it's already after 200 days something and therefore there was a time when company said ok yes we do of course we do have a hardware firewall we do have an anti-virus scanner of course we are safe yeah why should we but times have changed maybe this was 10 years ago true but not anymore because also the attackers have noticed that it is not that easy to breach a hardware firewall anymore unless it does not have vector or something configured so normally they go after the easiest link which is most of the time the user right and the attacker sends a phishing mail or sends somehow

an AOL and grabs the identities and one he has one identity he uses this identity to identify as a user and to grab even more and more identities and to lateral move in the environment grabbing a more identities until the attacker has full control of the whole environment yay and to protect organizations from identity theft Microsoft has deployed or not deployed but has this Microsoft security compliance toolkit which we recommend to hide in the systems so there are a lot of recommendations in there you can download it if you search for Microsoft security compliance toolkit and in this toolkit you can find several baselines you can find the policy analyzer and also other tools and the baselines those

are some kind of GP O's which you can implement in your environment but be careful do not just implement them and walk away because it is really really really really important to test if everything still works because it hardens your systems and if you did not test it I wouldn't say that your system works anymore so be careful but this is the recommendation how it should look like at least and in those baselines there are not only hardening settings there are also audit policies included and an audit policy is a recommendation what you should monitor because there are those advanced audit event locks and those event loves you can configure and if you configure them you can see even

more events in your environment so if you configure them and you get even more events that is awesome isn't it yes well they all it's horrible to read through every event because can you can somebody of you tell me at least one event ID that you remember of and not those yes please very good so you worked with us before very good anybody else yes and it's very hard to really tell them can you can you explain what those even Eddie's mean yes I do 46 88 this process execution so if you work instant response that's not the tree to know 46:24 is login I think what is it a successful 4625 his failed login

46 48 as well for lateral movement it tells you when you log in under remote systems those are the most important events to spot lateral movement I know or I see you have worked with that before what did you do we try to list them all and during incident to try to find all potentially infected or where the attacker could have been doing the incident nice so I tried that too so I also remember those event IDs and this is also when I started to work on this tool because I had this customer and this customer told me ok we want to implement the security baselines but we have no idea what events will be

generated which events are being generated and which events are being important and I was helping the customer to build their stock environment and so the customer asked me is there actually is there actually a document which you can use to find out which events are being generated when you apply a certain baseline and I was like well we have this document and it has 754 pages and the customer was like are you kidding me mmm so the customer asked do we have really an overview of all the events that are being generated and was like well no we don't have it and so the customer asked me to write down all the events that are being generated if he

applied this particular baseline and I was like yes I'm super excited I can do can do and so I sat down started to write down the events and somehow why I was writing down the events for this particular baseline the customer showed up at my desk and told me oh and while you're at it please also write down the events of this baseline of this baseline of this baseline and you have so many baselines that Microsoft can you just write down for every baseline and I was like no way there is no time in the world for doing that and so I thought how can I solve this problem and came up with the idea of automating it and this

was a time when the first version of events list was born so as I started to write down those events in an axial file I created an excel file with several macros and you could import a baseline that's here you could import the Microsoft baselines when you imported them they showed up here and the drop-down and then you could generate an event list for the baseline where you find all the IDS all the event IDs all the information all the documentation for the events which will be generated if you apply this particular baseline and the customer was happy I moved on to the next customer and the next customer was pretty excited about my tool and then

they asked me well have you heard about my duratec my duratec is pretty awesome if you want to detect in the environment and my do attack who of you knows my duratec okay I think there's more than then on Tuesday so my duratec is a framework that helps you to understand the the the way that an attacker takes in your environment so all the areas you have several areas here so it's the initial access for example execution persistence privilege escalation and so on so you have several categories which are called areas and to these areas you have several techniques mapped and it is some kind of a recommendation of what can happen and how can you protect yourself and when

you look at this little mitre attack flower it looks like a flower it is very beautiful but actually it's all about murder attack and this graphic displays the mitre attack techniques mapped to data source and when we only look at the data source of mitre attack compared to event list we are only here so that means we are only looking into the windows event locks at this time and so the customer wanted me to implement mitre attack in the first place and they also had other problems while building their Sox so what problems come up when you build a suck who have you built it I built a sack or who of you is working in sake

okay so what problems did you have too many events too many events so first my my first customer had the problem they did not know which events are being generated if you apply a particular baseline next step is to many events maybe you are not in the fortunate position to have all the storage capacity in the world and maybe you use okay I don't drop names but maybe you have only a limited seems system so that you can not forward all the event IDs that you would like to and so you need to filter so next step which events are important and which events do you want to forward and last but not least if you

have all these events what's the next step searching exactly some people say okay now we have the events so we are keeping them for forensic purposes so if we are getting breached then we can look it up well that doesn't happen because if you don't if you aren't used to work with those events then you have no idea what's going on if you are getting breached and so therefore you should really really really really really hunt proactively in your environment and those were the issues that my customers had when working with them and I try to address them with the tool event list

II so event list is based on PowerShell you can install it you can find it on github and I'm getting up there is also a documentation on how you can install it you can install it with install module and well I still need to work on line naming conventions so at this moment you open event list with open GUI that will be changed someday and if you open it this is the interface that shows up when you open event list and you still have the functionality to import baselines and I already imported some so you can choose which base line you want to select and then if you select the base line you just immediately see which

mitre attack techniques and areas are being covered by that base line of course you can also delete a base line which I just do because I forgot to clean up after my last presentation I delete the selected base line and if you don't trust the imported base lines you can also just delete all the baselines and import your own your own bait lines

so if you just want to generate an event list this functionality is still given and here you have several options so you can generate base line events only so this is still the same as in the old excel sheet you still have the event ID you see which option configures it you see what happens he even have a documentation link and you have also the recommendation if you should monitor it or if it's just an event that maybe is important for performance analysis or something else maybe something nice to know but not for your security then you also have the option to export it as a CSV I prepared already as C is reeling so that that I

don't need to generate it over and over again and this is what it looks like so it's just a plain see as we which you can use to import in other axel sheets or in other programs or however you want to process it and you can also say okay I maybe I want to see which events are being covered if I mark several my attack techniques if you do so you say okay I want this on a miter attack base and you see the technique ID you see the technique name you see the event ID and the event name and yes I have to admit not every information is filled yet for the event IDs so if you would like to

contribute please go ahead there are a lot of events that still should be filled out but there are also a lot of events that are already included in the database but nevertheless you have the event ID to look it up yourself okay so first problem what event IDs are being generated if you apply a particular baseline check next problem which events are important to forward and for this particular reason I have the generate agent config so you select the mitre attack techniques that are important for you and or you can just select the baseline and your boxes are being filled and you can just select the seam option of your choice at this moment there are only Splunk Universal

for water for example you get a snippet of Splunk and you can just copy and paste it to your configuration and deploy it on your clients well for Microsoft defender I just implemented it Easter Egg I'm sorry you don't need events at this particular moment for Microsoft Defender ATP because it works with streams but I also included arcsight or other XPath based systems so you can just copy and paste it into your configuration you don't need to do all the work yourself to write event ID equal 4 6 - whatever - 4 and of course you can also generate a GPO if you say ok I want to cover particular mitre attack areas then you can click on the

generate GPO choose a folder where to store it and tada this is our very own GPO for this use case which relies on advanced audit queries or advanced our audit configuration and you see here in the machine Microsoft Windows NT audit you have the path that configures your advanced audit configuration so at this moment sis Mon is not included yet but I plan to include it in the future so at this time you can only generate a GPO for advanced audit policies and if you have a GPO as an input and you generate a GPO out of it it's not the same DPO that falls out because I have concentrated this tool only on security events so only the

security events that I have chosen in the database will be used for the GPO output okay last but not least what's the last question that we have hunting exactly hunting and for the hunting part I rely on a tool which is called Sigma ok there is at this moment is not another oh there is actually at this moment there is at the miter attack workshop somehow Thomas and my session just being scheduled parallely I really would love to see his session but well unfortunately I cannot drop the mic and go to the session but at this moment there is also a session from Thomas Potts get at the miter attack workshop about Sigma and Sigma was created by

Florian wood and Thomas Pat suka is one of the main contributors and I think he's also one of the co-founders and mature but Sigma is an awesome project which has the which has one generic language which is called Yama and if you configure a configuration in Yama format you can just pipe it to the Sigma converter and you can generate a query for the seam system of your choice and at this moment there is four examples blank is supported Microsoft Defender ATP is also supported and I'm very proud that I worked with John tacna on the agile our analytics support so also shoutout to John great work and this is the base for the hunting query

generation and so if you choose particular areas or techniques here in event list and you click on generate queries then you can choose a sim solution of your choice but that's not all you can because I have several options in in here with a generate queries for the generate Sigma queries you have two options if you have nothing configured so far in event list then you just get the queries that you can just copy and paste into Sigma to generate your queries but if you have Sigma installed on your client there is this option configure event list and you can configure the Sigma path and you configure the path where Sigma C is located in so this is in the git

repository in the tools folder you click OK and you see here Sigma C and if you have this option configured and you click on generate queries then you can immediately convert the queries into the seam language of your choice well Microsoft Defender is not a seam but you can use it to hunt and this takes a very long time at this moment because my tool is written in PowerShell Sigma is written in Python and so that's why I have prepared some queries so if you have Sigma installed and configured an event list this is the output that you would get so you have a folder and you have three files in it and a folder in the folder llamo you see all

the llamo configurations the plain llamo files in the queries you see that there is it is configured in markdown so you can just copy and paste it to the documentation system of your choice and you also have the query already translated to the language of your choice and if you don't want to have all those those headlines and the information about the author or description then you can just go in the folder and open the event list queries txt because in this document it's just piped to this document the commands that you need to configure it and so you can just copy it and paste it into your solution and we also have a log file in

here because Sigma does not support everything yet maybe based on the sim system maybe based on other things that maybe there needs to be some work done in the backend please if you want to also support Sigma and if you if you like it you can improve it and Pablo oh and if some rule fails to create a sigma rule you will find it here in the log and if you want this rule to be implemented you can go ahead or ask the developer of your choice to implement it or maybe find another solution so if we do the same thing for blank you see you have here also the query force plank you can do

this with every language of your choice and same format here with txt and also with the lock okay so the query is not finished yet or the generate query step is not finished yet now it's finished because there's also this option generate queries in Yama format if you select this option then you get this output so you just have the yellow folder you have just the plain information in the markdown file to copy and paste it to your documentation system of your choice you also have the lock file and most of the time everything goes good and you have the yellow folder again and if you not if you don't configure event list if you

don't configure the Sigma path and generate the queries then you just get the command which you can pipe in to your Sigma back-end to generate the queries there because maybe out of some reasons you don't want to have Sigma installed on your machine or you don't want to have Python installed something this is what you can do if you have Sigma running in the backend and basically that is event list so I'm still looking for people who would like to contribute so if you say ok events list is a cool thing I have ideas I want to help with this project please go ahead contact me I'm on Twitter I'm on LinkedIn I'm on github I think the best

way to reach out to me is on Twitter if you have some ideas and already worked on something then just sent me a pull request I will review it and please make sure that it runs through several security checks and I would love you to participate on event list to contribute to and tell me what you think tell me what ideas you have that is evangelist thank you very much and if you have some questions I'm here to answer them thank you so do we have some questions [Music] no okay so I have one so first I think it's a very cool tool and thank you very much for this that's in going to add me

a lot and I was wondering or did you do the mapping between the event themself and attack matrix techniques because yeah was it manual yes okay next question normally is how long did you take yes it took me a long long long time I think it was something about half a year to a year until I did all the mapping I used a lot of my spare time okay thank you very much for this any other questions

otherwise I'll be also at the miter attack workshop today at 2:00 p.m. if you can't get enough of event list which I'm totally Cohen stuff come visit my session 2 p.m. my duratec workshop thank you thank you [Applause]