Resources to Learn Windows: -Learn About Microsoft Server: amzn.to/3ehKBpr -Windows PowerShell Cookbook: amzn.to/3fZldp5 -Learn Windows PowerShell in a Month of Lunches: amzn.to/3i7TqoC -Learn PowerShell Scripting in a Month of Lunches: amzn.to/2Z6tfps
@joebrown-w6q8 күн бұрын
Is there a way you can see when logs were deleted? I noticed about a week or two ago. When I went to event viewer in security logs I saw my laptop turn on when I was not even using it! Tonight, I went on to check logs and it didn't even go past the previous day. I turned it off and back on, now I can see past today, whats going on!? Can anyone help?
@JonGoodCyber7 күн бұрын
@@joebrown-w6q I showed this in the video, so I recommend rewatching it to see where I start to filter based on events.
@larkirwan95683 жыл бұрын
I am studying for my Comptia A+ exam and this video helped me understand something I was unclear on. Thank you.
@JonGoodCyber3 жыл бұрын
Glad it helped and you are welcome!
@tendimukhodobwane5915 Жыл бұрын
brief and precise, i didint know how to use event viewer until i saw this video
@JonGoodCyber Жыл бұрын
I'm glad that the video was helpful and thank you for watching!
@kwsrchoudhury Жыл бұрын
Thanks! Gotta investigate a laptop tomorrow
@JonGoodCyber Жыл бұрын
You are welcome! Hope it's nothing too crazy but good luck either way.
@jswift53002 жыл бұрын
Sorry Jon, I like the way you present your videos I just assumed what you would be sharing would be more focused on what logs we would need to be investigating. For instance, the Firewall Log, the DNS log, obviously the Security log etc. Other than that, you present well, are clear and concise and can't fault you!
@JonGoodCyber2 жыл бұрын
The purpose of this video was really to provide an introduction to using the event viewer because unfortunately audits themselves can vary a lot in what the auditor wants to see. There might be follow up videos to this but i couldn't put everything into one video since it would be way too long. Thank you for watching!
@jswift53002 жыл бұрын
@@JonGoodCyber Appreciate the response. Please don't see this as "trolling" or anything, I just made an assumption that it was digging in to the finer detail. I can't fault your delivery though! Very good / concise. Cheers.
@JonGoodCyber2 жыл бұрын
No worries! I appreciate the feedback because it helps me identify topics for future videos.
@jswift53002 жыл бұрын
@@JonGoodCyber Cheers. Appreciate I came across arrogant and didn't mean to! Enjoying some of the sessions though so, please don't stop making content!
@JonGoodCyber2 жыл бұрын
I didn't take it that way and I always appreciate feedback and comments!
@benarroyo3 жыл бұрын
This video helped me understand event viewer better, thanks!
@JonGoodCyber3 жыл бұрын
Glad it helped and you are welcome!
@raymundofantastico2 жыл бұрын
Me too! But I there's something I have always wondered, how do you view upload and download history on Windows 8.1 and Windows 10? Always wanted to know because of my tendencies and frequent activites 😆
@jellybeanjackson6353Ай бұрын
for the KZbin algorithm
@JonGoodCyberАй бұрын
Thank you for the support!
@HariprasadN-k4b11 ай бұрын
Why does security SPP will occur in windows 10 & why does it completely shuts down all the applications in my system at that moment
@JonGoodCyber11 ай бұрын
I recommend starting out with the official Windows documentation and then possibly checking the forums to see if somebody has a similar problem with a fix. learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-security-spp
@watteau66464 жыл бұрын
I was hoping for explanation of the many diff types of event IDs . But I guess like most videos, we are expected to just "google it" and go into rabbit holes. OK video for learning basic EV navigation, that's all. Too much self-promo at the start. No real "cyber security" information.
@JonGoodCyber4 жыл бұрын
This video was not meant to be an all encompassing security analysis of a system. The purpose is to teach how to use the Event Viewer because like anything in Cyber Security, there are variables that make every situation different. If you are interested in specific event IDs, there is a really good resource here ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ). I do have future videos planned that will cover specific things to look for but we have to start with the basics. Thank you for viewing and I appreciate the feedback!
@watteau66464 жыл бұрын
@@JonGoodCyber Thanks for your response. Looks like a very useful link, too. Thanks!
@v0ver6 ай бұрын
Windows tutorials without indian, a bit confusing for me ;]
@JonGoodCyber6 ай бұрын
I'm not sure what you mean by "without indian" but you can certainly watch the video as much as you need.
@ofek_11 Жыл бұрын
Hope its still relevant,i have a question to disable real time protection and find the event id(sounds simple) but when i do that the event id doesnot appear.. even when im in the local(configuration) any suggestions?
@JonGoodCyber Жыл бұрын
The first place I recommend referencing is the official Microsoft documentation ( learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide ).
@doctorsaikia4647 Жыл бұрын
Hi Is there any way to know what files are being copied from my laptop to a USB drive. It's timestamp and what folder or file copied... OR If copy log present in the system.
@JonGoodCyber Жыл бұрын
I recommend checking out this article on Microsoft: learn.microsoft.com/en-us/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices
@invest_9361 Жыл бұрын
Hey Jon, I suspected someone was on my PC uninvited. I went to look at my event viewer logs and they have been cleared! I did not do this, could you help me out? Trying to figure out when they where cleared and when someone was on my PC, gods knows whats been installed. Can anyone help?
@JonGoodCyber Жыл бұрын
I recommend watching this video again because I walk through how to filter event logs being cleared. If you need to go deeper into memory you will want to research a digital forensics training course.
@invest_9361 Жыл бұрын
@@JonGoodCyber I did just recently change a setting in the registerey keys. It was for processes to keep them low on windows, since I game. Could that be affecting the event viewer?
@JonGoodCyber Жыл бұрын
I'm not sure what you mean by you changed registry keys as clearing the logs requires a high level of privilege to perform. If the event logs are gone (cleared) then your only possible option to recover them is using digital forensics. If you cannot view the events in the event viewer and they are still there, then you don't have the right level of access.
@tatvikgujar58905 ай бұрын
you missed the easiest way to open event manager. just open server manager then go to the tools in the top most section and look for event viewer. Thats it.
@JonGoodCyber5 ай бұрын
Like most things, there are several ways to accomplish the same objective.
@tatvikgujar58905 ай бұрын
@@JonGoodCyber yup one should always be open to new and easy ways.
@kenstart6 Жыл бұрын
Can we get the Event Log of a computer remotely ?
@JonGoodCyber Жыл бұрын
You certainly can: learn.microsoft.com/en-us/host-integration-server/core/how-to-select-computers-in-event-viewer1
@sinamobasheri23 күн бұрын
I left a comment for youtube algorithm
@JonGoodCyber23 күн бұрын
Thank you for the support!
@SaiyanParmos Жыл бұрын
Thank you for this post. Some times if feels better to jump in as you just did but for trying Splunk or DeepBlueCLi
@JonGoodCyber Жыл бұрын
I'm glad that you enjoyed the video!
@mrxenosith8023 Жыл бұрын
Hello Jon, i noticed that the event viewer no longer displays the username. how can we get the username for the event logon and logoff?
@JonGoodCyber Жыл бұрын
What exactly do you mean it no longer displays the username? I'm assuming you're referring to the column and if that's the case then you can right click on the name of one of the columns and add whichever ones that you'd like.
@abdullahalrawi14913 жыл бұрын
Hi , i have to define self 3 logging events that can be handy to trace security breachers, and who may see the logging, where is the logging stored en de data van the event,, how, who what, where why when ... i don’t understand what i should do and where should i search could you help me with one of those three, i have a bad teacher 😢
@JonGoodCyber3 жыл бұрын
Here are two resources to get you started: - www.beyondtrust.com/blog/entry/windows-server-events-monitor - www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
@Gnrl_Anesthesia2 жыл бұрын
Hey jon, Sorry i am learning about this but you are my best shot at getting the proof here. Long story short, some of the veryyy imp files have been deleted from google drive and even from trash. I know who did it from my laptop when i was away, it does say I deleted it because laptop had g-drive logged in. I am in reallll trouble now. All i want is a proof that my laptop was used between X-Y dates so that i can prove my innocence. I already am down the rabbit hole and i have reached here. Please guide me if this can be done from event viewer. All i want is confirmation that laptop was used during the dates when i wasn’t around. Even better if we can see someone opened g-drive.
@JonGoodCyber2 жыл бұрын
I recommend reviewing the audits for any logon or logoff type events on your system. You can find the event IDs required here: www.ultimatewindowssecurity.com/securitylog/encyclopedia/
@karoz072 жыл бұрын
Thank You very much for this grate information...!!! In my computer shows to many times the ID 4672 Special Logon and ID 4624 Logon and I don´t know if this means tha some from out side is looking my personal information or it is just a simple thing from Windows Event...!!! Will you be so nice just to let me know if this could be dangerous or not...!!! I will appreciate so mucho...!!! I send you a big hug from México City...!!! God Bless You Always...!!!
@JonGoodCyber2 жыл бұрын
Every situation is different but I would recommend checking out the below resources on those specific event IDs to get you started in your research. www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624 www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672
@danh.9023 жыл бұрын
I posted a comment to social media and it got someone mad. I walked away from my pc for about an hour , and when I came back I tried to log back into the social media site , I could not. My password was incorrect. I had to reset it using my phone. Can I use the event viewer to fond out if someone logged onto my PC and did something. I have a few : 4624 Logon 4672 Special Logon *** SEVERAL 5379 User Account Management 5058 Other System Events 5061 System integrity 4826 Other Policy Change Events 4696 Process Creation Is there a way to tell me if someone was on my PC remotely or how they messed with my Facebook password ?
@JonGoodCyber3 жыл бұрын
You will find this website ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx ) of tremendous value. You would be able to determine if there was a remote login but you couldn't see the web application logs for Facebook itself. For Facebook, you would need to reach out directly to them because only they could review the actions taken on the site.
@danh.9023 жыл бұрын
@@JonGoodCyber Thank You @Jon I DO appreciate it. I WILL be doing ALLOT of reading it seems over the next few days. As for going to Facebook , I did think about doing that when he replied to my post in a public area , but figured that sense he told me outright that he did what he did with something like Facebook , I didn't want to get him even more upset at me. I'd like to think that passwords and routers , Avast , ZoneAlarm , Windows Defender and so on , would be enough , but it seems that if someone wants to be disruptive , they will... I AM still gonna try yo see what else I can do in order to AT LEAST make My Family feel a bit safer though...
@JonGoodCyber3 жыл бұрын
Many times when somebody is able to access an account, it was through social engineering. That means they could have got you to click a link or provide them with information to allow them access. All the tools in the world won't do any good if you fall victim to social engineering. Keep learning about security and improving your defenses!
@interfuze94702 жыл бұрын
I have a question and went to event viewer and few month ago I downloaded this application called solidworks. I deleted the application for solidworks but in the event viewer there is still a log file for SW any help? I just want to delete that log file. It’s under application and services 😭 I hate downloading school stuff on my personal gaming PC. I don’t want to clear the log I want to delete that log file***
@JonGoodCyber2 жыл бұрын
Log files are files stored somewhere on your system so you just need to find where it's being stored and remove it. You could always clear whatever is in there too but a leftover log file isn't really impacting your system unless it's massive in size.
@vtcl13 жыл бұрын
I have another question, Jon: Under the Task Category, I don't see Logon or Special Logon. I'm only seeing User Account Man... Does this mean that no external individual has logged onto my system?
@JonGoodCyber3 жыл бұрын
If you have logon event auditing enabled then you will see any events related to it. docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events
@itumelengmaaboi8942 Жыл бұрын
Can you also see who deleted files???
@JonGoodCyber Жыл бұрын
Sure if you turn on file system auditing but by default Windows isn't going to show you that information.
@OkekeIfeoma-k1h2 ай бұрын
Hi, Kindly be of help, how do I perform log analysis on Windows OS and Windows server
@JonGoodCyber2 ай бұрын
I recommend rewatching this video as this gives you a good introduction on how to perform a log analysis.
@alqahtanirakan-cm5736 Жыл бұрын
Explain the concept of logging? where are they located in windows and linux? sho b w an example of failed login logging in windows event viewer
@JonGoodCyber Жыл бұрын
After watching this video, you'll know exactly how to review Windows events so once you've identified the event ID that you need ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ) then it's simple to filter based on that. 4625 is log on failures.
@kcalderon032 жыл бұрын
Hello. Do you have a reference you would recommend for looking up event ID’s? Thanks
@JonGoodCyber2 жыл бұрын
Here is the site that I recommend: www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
@kcalderon032 жыл бұрын
@@JonGoodCyber thank you sir!
@JonGoodCyber2 жыл бұрын
@@kcalderon03 no problem. Glad to help!
@MrSouthsideMuscle2 жыл бұрын
Onboard system software is dece enough
@JonGoodCyber2 жыл бұрын
You can definitely accomplish a lot with built-in functionality and software, however external applications frequently enhance or add to that functionality. Additionally, built-in applications don't work well when you have to start looking at several, hundreds, or thousands of systems.
@MrSouthsideMuscle2 жыл бұрын
@@JonGoodCyber Definitely I would imagine a complex system network requires specialized software for ease of viewing
@waydownwergoing2 жыл бұрын
Hi my friend. I am trying write script for task scheduler for sending realtime all logs to telegram channel. can you help me?
@JonGoodCyber2 жыл бұрын
I recommend checking out Google because there are plenty of tutorials out there already that came up with a simple search.
@waydownwergoing2 жыл бұрын
@@JonGoodCyber i checked it but only fond script for logon. But not for other events
@puazuzu4958 Жыл бұрын
Hi Jon, thank you for the video :)! I have a question about this. The event ID 4698 and the events of schtasks i can't see them, ¿why is it not displayed in the event viewer? Thank you!
@JonGoodCyber Жыл бұрын
One of the best places to start with is the official Microsoft page for the event ID: learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
@dariowins Жыл бұрын
Can you tell us how can we convert the time format to UTC, for example, when we find a event Id and we have to write it in the forensic report it's very common to write the date and time in UTC format.
@JonGoodCyber Жыл бұрын
I recommend checking out this discussion thread: learn.microsoft.com/en-us/answers/questions/409485/event-viewer-entries-timestamp
@openworldgamedevjontyin22423 жыл бұрын
how to find unauthorised log on on windows 10 using event viewer or powershell or cmd ... whatever .. i think i am being hacked ... please help
@JonGoodCyber3 жыл бұрын
In event viewer, you can create a custom filter for any of the logon events you would like to see. A really good resource for event IDs can be found here ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ).
@bethiaktar7589 ай бұрын
Very informative, thanks for sharing #Jon Good. From Bangladesh
@JonGoodCyber9 ай бұрын
I'm glad that you enjoyed it!
@rohitkalla26233 жыл бұрын
After formatting/resetting the pc, will the earlier logs be visible there?
@JonGoodCyber3 жыл бұрын
If you restart your computer the logs will still be there until cleared. Formatting a PC involves wiping the system clear and therefore you would lose the logs in that situation.
@rohitkalla26233 жыл бұрын
@@JonGoodCyber thanks for the really quick reply. I actually wanted to know if there's anyway we can tell that the computer has been formatted/reset before. Could you please help me in this.
@JonGoodCyber3 жыл бұрын
No because the entire computer is wiped and would start from fresh. If just the logs are cleared though, then Windows will generate a system event saying that the logs were cleared.
@sonyi1967 Жыл бұрын
Q: I got a Kaspersky file on windows log and I cam get rid of it to install a different antivirus.
@JonGoodCyber Жыл бұрын
I recommend visiting the vendor's website for instructions on uninstalling the software.
@vtcl13 жыл бұрын
I have come across some events that occurred during the wee hours of the morning while I was sleeping. Is there a way for me to find out its location?
@JonGoodCyber2 жыл бұрын
Yes! Search google for the ip address and it will give you more information.
@spitballproductions2 жыл бұрын
how can you do this using Autopsy?
@JonGoodCyber2 жыл бұрын
The purpose of this video isn't to go deep into Windows forensics but perhaps I'll add that to the list for a future video.
@spitballproductions2 жыл бұрын
@@JonGoodCyber please do. I am working on some homework for a digital forensics class and I have no Idea what I am doing. In the dark without you. Thanks mate.
@petrmilota63983 жыл бұрын
completing case in Immersive Labs for Hafnium events.. well - we will see if this helps :D we can use only Event Viewer
@JonGoodCyber3 жыл бұрын
Awesome...let me know how it goes!
@Dot07074 ай бұрын
Everyone clicking on this video because someone touched something they weren't supposed to
@JonGoodCyber4 ай бұрын
Not everybody is doing things that they shouldn't be doing...
@FM-zp2hl4 жыл бұрын
good content here, trying to do forensics on a windows event log file but it is really challenging, do you have any information how i can perform a step by step detailed forensic on windows event viewer log, thanks
@JonGoodCyber4 жыл бұрын
Unfortunately I do not have any on hand. Your best bet is to grab a good book or course because that requires you to stay up to date. Here are some resources that might help you though: -Book on Windows Forensics: amzn.to/34LOPUK -Course on Windows Forensics: www.pentesteracademy.com/course?id=23
@FM-zp2hl4 жыл бұрын
@@JonGoodCyber thanks very much
@IvarsRuza4 жыл бұрын
how to collect and analyze i kmow but gow to store for future forensics is nuts for 3k maschines
@JonGoodCyber4 жыл бұрын
Storage is definitely a major issue when it comes to logs. Sometimes you have to be selective about the events and information that you collect.
@abineshms37592 жыл бұрын
how to display those security events using c or c++ program
@JonGoodCyber2 жыл бұрын
Great question...have you researched how to do this? I think PowerShell is still going to be the easiest method if you want a command-line option.
@phabeondominguez59714 жыл бұрын
Isn't there tools or apps that translate event viewer logs into more readable formats for us puny humans? I want to say it's something about SYS INTERNALS? heck can ya do a video on that? Both converting errors logs into readable formats and a video on Sys Internals?
@JonGoodCyber4 жыл бұрын
There are definitely more tools that I will be doing videos on but this particular video is to help people walk before they run. Thank you for the requests!
@phabeondominguez59714 жыл бұрын
@@JonGoodCyber gotcha, I'll rewatch it then as maybe I missed "it" as I still jus see Event Viewer as error logs but still unsure as how to decipher them?
@JonGoodCyber4 жыл бұрын
The Event Viewer is definitely not just for error logs. Essentially what your SIEM tool and other analysis tools do is take the raw events and make them easier to comprehend/correlate, especially at a larger scale. One important point is that we aren't just looking for failures or errors because there are successful events that should generate alerts depending on the environment. Think about if you had a production environment that operated during certain hours of the day but then all of a sudden you had people logging in at "strange" hours when nobody is around. A great resource for Windows Event IDs is this website ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx ).
@phabeondominguez59714 жыл бұрын
@@JonGoodCyber gotcha, so no wonder a while back I had black screen blip for 2 secs but wasn't finding anything in Event Viewer. Thanks for the link, will check that out. oNe
@JonGoodCyber4 жыл бұрын
No problem!
@pidaparthysurya43733 жыл бұрын
HOW TO TAKE AD AUDIT LOGS FOR 3-6 MONTHS
@JonGoodCyber3 жыл бұрын
There is a retention setting for Windows logs that you can modify but it's based on size of the log ( helpcenter.netwrix.com/NA/Configure_IT_Infrastructure/Windows_Server/WS_Event_Log_Settings.html ). If you are in an environment using Active Directory though, a best practice would be to use a SIEM tool like Splunk to forward the logs to a central solution where you can utilize more storage. We also would want to archive the raw log files so that we can go back and review them deeper if we need to.
@openworldgamedevjontyin22423 жыл бұрын
bro i need help ... how to find unauthorised logon windows 10 !!! i thing some one is hacking me !!! please help !!
@JonGoodCyber3 жыл бұрын
In event viewer, you can create a custom filter for any of the logon events you would like to see. A really good resource for event IDs can be found here ( www.ultimatewindowssecurity.com/securitylog/encyclopedia/ ).
@openworldgamedevjontyin22423 жыл бұрын
@@JonGoodCyber thank you soo much
@davidmanning14743 жыл бұрын
Do you have a brother that does vjdsa out air travel by any chance
@JonGoodCyber3 жыл бұрын
I don't know what that is but no.
@sabharinathan29893 жыл бұрын
Event Id 4740 not present in event viewer security log
@JonGoodCyber3 жыл бұрын
If there isn't an event ID in your log then it hasn't occurred. Specifically 4740 is for user accounts being locked out. Here is a reference article: www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
@johnvardy9559 Жыл бұрын
Hi John great video,after 3 years need t know somebody all of these stuff ?
@JonGoodCyber Жыл бұрын
Glad it was helpful! This is information that you should know very early on in your cybersecurity journey.
@johnvardy9559 Жыл бұрын
@@JonGoodCyber yes but if you use splunk or siem tools you dont need this one or?
@JonGoodCyber Жыл бұрын
@@johnvardy9559 you are correct in that typically in most environments, this kind of stuff will be done in a SIEM tool (i.e., Splunk, LogRhythm, etc.) but you absolutely need to know how to do it on a local system too. This is especially true for any type of technical role.
@warronfrench81632 жыл бұрын
0% audio. I tried other videos and they worked.
@JonGoodCyber2 жыл бұрын
The video definitely has audio so I would check your settings.
@jibunorufoegbune95672 жыл бұрын
Thanks Jon Good
@JonGoodCyber2 жыл бұрын
No problem and I'm glad that you enjoyed the video!
@halfdemon88 Жыл бұрын
Also bears mentioning that you can add MMC snap-ins to view logs on remote computers in a domain. Super convenient as an admin
@JonGoodCyber Жыл бұрын
Yep absolutely and thank you for sharing!
@fabriciogarcia63074 жыл бұрын
Thanks! for the video! Regards!!!!
@JonGoodCyber4 жыл бұрын
You are welcome! I'm glad you enjoyed the video.
@minmaxshorts3 жыл бұрын
leaving a coment for the youtube algorithm
@JonGoodCyber3 жыл бұрын
Thank you and I appreciate the support!
@lyseachung56137 ай бұрын
How can I remove specific events from the event log?
@JonGoodCyber7 ай бұрын
That is outside the scope of this video and typically if you are trying to remove events...that's probably not for a good reason.
@shehzadarshad20002 жыл бұрын
Nice video bro i am also an IT guy
@JonGoodCyber2 жыл бұрын
I'm glad that you enjoyed the video and welcome!
@openworldgamedevjontyin22423 жыл бұрын
thank you for your help...
@JonGoodCyber3 жыл бұрын
You're welcome!
@brownoforrington83104 жыл бұрын
How do I find an IP Address of an intruder and block payloads?
@BlackPerl4 жыл бұрын
Probably for doing this kind of search you can use LogParser 2.2.. A query like below would help to find out from an IP address- "C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"
@JonGoodCyber4 жыл бұрын
Ideally you would be using a host intrusion prevention (or detection) system such as Snort or a similar type of tool that will store that information in an easier to consume format. Complex queries using the event viewer typically isn't going to be the best path.
@vtcl13 жыл бұрын
This is an excellent video. Is it a red flag to see several deleted events at the end of the list? My laptop is used only by me
@JonGoodCyber3 жыл бұрын
Any time that you are missing logs or have deleted events and it wasn't authorized, then it should be a concern.
@vtcl13 жыл бұрын
@@JonGoodCyber Wow! Thank you. Do you think that changing my IP address would help?
@vtcl13 жыл бұрын
@@JonGoodCyber Should I also be concerned about the listening events? Does this mean that people are listening in?
@JonGoodCyber3 жыл бұрын
Changing the IP address might help but I would recommend you get a good anti virus or anti malware software. As far as listening ports, you would have to research the ports after you scan your system with the anti virus software because they may or may not be malicious.
@vtcl13 жыл бұрын
@@JonGoodCyber Thanks a bunch
@toukio_11 ай бұрын
Very informative, thanks for sharing Jon.
@JonGoodCyber11 ай бұрын
Glad it was helpful!
@flittotech52802 жыл бұрын
Thanks for this very interesting vidéo.
@JonGoodCyber2 жыл бұрын
Glad you enjoyed it!
@kristinabrannon36933 жыл бұрын
Does event viewer clear it's own logons after so long or do you have to manually clear them out?
@JonGoodCyber3 жыл бұрын
There are retention settings based on size such as overwriting oldest events first, archive when full (no overwrite), or do not overwrite. You can configure this by right clicking on the specific log (application, security, system, etc.) and select "Properties." You could also run a command with PowerShell to clear the logs, or schedule a task to do so ( docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/clear-eventlog?view=powershell-5.1 ).
@kristinabrannon36933 жыл бұрын
@@JonGoodCyber thank you! Question- when I first downloaded event viewer I saw months of history with logons- I was looking at specifically 4624. I've been trying to see if my roommate has been accessing my profile on our shared computer. Recently, everything has been deleted. I can only see the last 2 days. I think someone went in and cleared the logs. Would event viewer suddenly start only saving the last 2 days of history by itself? Or would someone have to program it to do this? Thank you! I'm not computer savvy but I know enough to know that when one day something is there and the next it's not, it's suspicious.
@JonGoodCyber3 жыл бұрын
@@kristinabrannon3693 If you don't have logon auditing enabled prior to that then it wouldn't store those events ( docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-logon ). Also, if logs are cleared then the system will generate an event and it will be present in the new set of logs. A really good website for referencing various Windows events is: www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
@GarageGuyCarl2 жыл бұрын
How can I filter logs by date(s)?
@JonGoodCyber2 жыл бұрын
PowerShell might be your quickest and efficient method: social.technet.microsoft.com/Forums/lync/en-US/f552d3fa-01e8-4949-ba2b-fc172bff9175/filtering-event-logs-with-specific-date-range?forum=winserverpowershell In the Event Viewer, you can either sort by the date column, or you could edit the XML of the actual search.
@GarageGuyCarl2 жыл бұрын
@@JonGoodCyber Nice and Thanx
@manthing14674 жыл бұрын
I've been thinking of making a security audit script via powershell. Eventually I'll get around to it. Know of any good open source SIEM tools?
@JonGoodCyber4 жыл бұрын
Here are a few for you: -AlienVault OSSIM: cybersecurity.att.com/products/ossim -SecurityOnion: securityonion.net/ -Elk Stack: www.elastic.co/what-is/elk-stack
@mojed66664 жыл бұрын
Yeah wazuh wazuh.com/
@mojed66664 жыл бұрын
Siemmonster siemonster.com/
@JonGoodCyber4 жыл бұрын
Interesting...I hadn't heard of either of those before. I'm sure like a lot of the different tools that all the cool stuff requires a subscription but at least there are some options to learn things.
@mojed66664 жыл бұрын
@@JonGoodCyber with Wazuh all the cool stuff is available for everybody.and you can give it a quick try with the docker version documentation.wazuh.com/3.13/docker/wazuh-container.html
@Ash-h5u Жыл бұрын
I 💜 this videooo...
@JonGoodCyber Жыл бұрын
I'm glad that you enjoyed it!
@khalfanhinai57984 жыл бұрын
Hi jon good Do i need to to be a developer to enter cyber security field
@JonGoodCyber4 жыл бұрын
Knowing how to program and code will definitely open more opportunities for you, however not all jobs require those skills. I would check out the video I made on Programming in Cyber Security for more information ( kzbin.info/www/bejne/hGmsc42Al8Sgeqc ).
@khalfanhinai57984 жыл бұрын
@@JonGoodCyber thanks bro
@JonGoodCyber4 жыл бұрын
No problem!
@billyc72734 жыл бұрын
How do you filter the result based on content of EventData?
@BlackPerl4 жыл бұрын
Probably for doing this kind of search you can use LogParser 2.2 application and then run a SQL query on your event data to fetch out the content what you are looking for.
@JonGoodCyber4 жыл бұрын
You can use XML to do some additional filtering. Here is a good article: techcommunity.microsoft.com/t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761
@mitchelllee61103 жыл бұрын
How far back can event logs go as a maximum?
@JonGoodCyber3 жыл бұрын
If you right click the individual log in the Windows Event Viewer and select properties, you can set the retention log size so theoretically you could store unlimited events. I wouldn't recommend making this value too large because you should be offloading the logs onto a better storage method such as a SIEM and then archiving the log files.
@dbcnewstv3 жыл бұрын
Waste of my time
@JonGoodCyber2 жыл бұрын
Sorry to hear that but thank you for watching!
@paulobazzo56502 жыл бұрын
Sorry but this video is a joke
@JonGoodCyber2 жыл бұрын
I am always open to feedback on how to improve content and presentation but just saying something is a joke does not help.
@teerich2011 Жыл бұрын
Thank you Jon. That was Good!
@JonGoodCyber Жыл бұрын
Glad you enjoyed it!
@sykanji981610 ай бұрын
my guy
@JonGoodCyber10 ай бұрын
I'm glad that you enjoyed the video!
@ruslanmamedaliyev39123 жыл бұрын
please tell me how can i see which files did my windows defender skip during the scan with the help of event viewer or with other ways? please explain step by step
@JonGoodCyber Жыл бұрын
I recommend looking at your Windows Defender logs.
@BrianThomas2 жыл бұрын
Wow. You’re Good
@JonGoodCyber2 жыл бұрын
Thank you and I'm glad that you enjoyed the video!