overhack on network log monitoring

Network traffic analysis and log analysis post is up over at OverHack. Good stuff, and I completely agree with the intro paragraph.

Doing actual log analysis is trickier than most supervisors think it is. You want to know when someone gains domain admin rights, eh? Ok, you have to watch all created accounts. You have to watch for existing account changes that slide an account into the domain admins group, or into any other group nested inside there. You have to watch for someone sliding a group into the domain admins group. You have to watch for strange account usage and failed logins to any accounts in the domain admins group. And you can’t just look for suspicious things, but you should track down every instance, even if it appears to match your account naming schemes.

Oh, and you can’t just do this once a week with a delta on accounts present. If an attacker created an account, used it, and then deleted it, will you notice? And we’re just talking about one (important) sliver of log data!