Esta es la semana de splunk, algo me dice que durante los próximos meses será el mono tema … Después de hacer funcionar el SUF voy a ver como rapiñar licencia (de una instancia cloud).
Ya se que lo suyo es tenerlo todo, pero que le vamos a hacer …
Cosas que voy a poner en la blacklist.
Aqui una lista con muchos (parece que no todos).
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
4662 -> A security package has been loaded by the Local Security Authority. (detalles. Riesgo bajo.
566 -> Object Operation (W3 Active Directory) (detalles. No lo tengo claro, probablemente este si que haya que mirarlo.
4648 -> A logon was attempted using explicit credentials (detalles, otros sobre los que tengo dudas (A user connects to a server or runs a program locally using alternate credentials).
4634 -> An account was logged off (detalles).
4768 -> A Kerberos authentication ticket (TGT) was requested (detalles
4656 -> A handle to an object was requested (detalles).
4670 -> Permissions on an object were changed (detalles).
4663 -> An attempt was made to access an object (detalles).
4703 -> A token right was adjusted (detalles).
4658 -> The handle to an object was closed (detalles).
4688 -> A new process has been created (detalles).
4689 -> A process has exited (detalles).
4624 -> An account was successfully logged on (detalles).
6278 -> Network Policy Server granted full access to a user because the host met the defined health policy (detalles).
4278 -> A member was added to a security-enabled global group (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728) -> Este es de los permitidos
¿Me he pasado? o ¿Me quedo corto?.