Once operational logging is enabled, it’s important to generate data by plugging in different devices. This means there is no historical data to draw upon. Test Proceduresīy default, the Windows logging option for operations is disabled. Enabling this feature will require administrative access to Windows. ![]() The current default in administrative policy is to have this feature disabled. Information on USB devices in Windows needs to be enabled before moving forward. Windows information on USB devices can be found here: Using Splunk, a security team can now monitor when these devices are plugged into systems. They can also be used to steal data, or move them into an unsecured location. They can help in moving data from one system to another. These devices are helpful in providing a backup location for important documents and files. As more security operation centers (SOC’s) look to limit sensitive data being exposed, USB removable storage devices (thumb drives, external hard drives, cell phones with high capacity storage, and SD cards) introduce risk. Splunk continues to be a valuable tool in providing insight into risk and threat detection. ![]() Information security is only as effective as physical security policies. By: Pete Chen | Splunk Practice Team Lead Windows Event Log Monitoring
0 Comments
Leave a Reply. |