4 Tracking Accounts Login and Management

Almost everything and every action in a Windows environment is tied to an account. So, during the incident investigation process, the first effective way to track and investigate an attacker’s activities is to track the compromised accounts’ login and suspicious account management activities. As a SOC analyst, you must be aware of and able to analyze the account login and management event logs provided by Microsoft on the Windows OSs that help you investigate and detect suspicious accounts activities.

The objective of this chapter is to make you aware of the different Windows account types, understand and be able to analyze the event logs of Windows account login activities, such as successful authentications, ...

Get Effective Threat Investigation for SOC Analysts now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Effective Threat Investigation for SOC Analysts by Mostafa Yahia

4

Tracking Accounts Login and Management

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly