With this week’s release on the VMware Carbon Black Cloud, users can now remotely inspect Windows devices’ event logs to pull back information that could be helpful during an investigation or response scenario.
This new capability comes as part of an update to the Live Query functionality provided on the platform. Unlike standard EDR search capabilities, which allow administrators to review previously collected data about activity on devices, Live Query allows you to reach out and directly gather information about the current state of a single device or your entire fleet of devices.
The ability to pull these artifacts from Windows event logs allows teams that are responsible for incident response to gather crucial information around an incident directly from the impacted devices extremely efficiently.
For instance, pulling this log data from affected systems can highlight what user accounts have been compromised and abused by attackers, how those accounts are connecting to different systems, and well as help to build a chronological timeline of the attacker’s activities. And being able to identify relevant artifacts and use that evidence to develop additional queries that could be run across a wider set of the system provides situational awareness that is a necessity during investigations.
This newly added functionality makes it easy for users to create their own custom queries to gather real-time Windows event log data, including:
- Event ID
- Time an event occurred
- Source or channel of the event
- Provider name and guide associated with an event
- Severity level of an event
- And more
Along with being able to build custom queries, our Threat Analysis Unit (TAU) has also handcrafted a series of recommended queries that leverage the Windows event log query capability. These pre-built queries – along with the more than 90 that already exist in the console – can be run across your entire Windows fleet with the click of a button, bringing the time required to start gathering these artifacts down to mere seconds.
So whether your team is looking to identify devices that may be at risk due to the Windows ZeroLogon Vulnerability (CVE 2020-1472), or you’re interested in keeping an eye on RDP login activity, or you are looking for indicators of anti-forensics and persistence mechanisms such as cleared event logs and new scheduled tasks, these pre-built queries will save your team time in hunting down potential threats and reducing risk in your environment.
See also:
Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability
How Live Query Helps with Vulnerability Assessment
New Release Brings Recommended Queries to Users