If you tried to analyze Account Logon events from your domain controller security logs and gotten a little confused, don't feel bad. Events in the 4768-4777 range are definitely complex and cryptic – but here's a secret that makes it much easier. Account Logon events are closely tied to Kerberos and if you understand Kerberos, it becomes much easier to understand Account Logon events. You see, Kerberos is the default authentication protocol for Windows networks and the Account Logon events logged by domain controllers correspond to Kerberos ticket operations.
Because of how Kerberos tickets work, this category of the security log generates a lot of noise which you can filter out if you know what to look for. This is important because many of these noise events show up as authentication failures but they are in no way related to malicious activity.
In this webinar I will show you how the Kerberos protocol itself works and then tie that into the Account Logon events you see on your domain controllers. You will learn...
- the difference between ticket granting tickets and service tickets
- how to distinguish noise events generated by routine Kerberos operations
- how to recognize potentially malicious authentication attempts
- how Kerberos events allow you to track a user’s movements from one computer to another
and more!
Then Barry Vista from our sponsor, LOGbinder, will show you the latest with managing native Windows Event Collection with Supercharger.
This will be a technical, real training for free session so don’t miss it!