If you tried to analyze Account Logon events from your domain controller security logs and gotten a little confused, don't feel bad. Events in the 4768-4777 range are definitely complex and cryptic – but here's a secret that makes it much easier. Account Logon events are closely tied to Kerberos and if you understand Kerberos, it becomes much easier to understand Account Logon events. You see, Kerberos is the default authentication protocol for Windows networks and the Account Logon events logged by domain controllers correspond to Kerberos ticket operations.
Because of how Kerberos tickets work, this category of the security log generates a lot of noise which you can filter out if you know what to look for. This is important because many of these noise events show up as authentication failures but they are in no way related to malicious activity.
In this webinar I will show you how the Kerberos protocol itself works and then tie that into the Account Logon events you see on your domain controllers. You will learn...
- the difference between ticket granting tickets and service tickets
- how to distinguish noise events generated by routine Kerberos operations
- how to recognize potentially malicious authentication attempts
- how Kerberos events allow you to track a user’s movements from one computer to another
and more!
In this no-sponsor presentation real training for free ™ webinar - I'll show you how to enable Kerberos authentication auditing on domain controllers and then how to interpret the events. This webinar will be completely me and my content – no sponsor presentation. I'll be using SolarWinds Log and Event Manager to do the security log monitoring.
If you'd like to follow along with me please download a free trial of Log and Event Manager ahead of time and start it collecting events from at least one of your domain controllers. It's a pre-built virtual appliance. Just download it and power it up in your virtualization host or desktop.
Join me for this real training for free ™ Please register now.