employee misconduct investigation
employee misconduct investigation The Skadi ELK Stack authored by Mr. Alan Orlikoski https://github.com/orlikoski is a phenomenal means of conducting in-depth triage across numerous Hosts in an effort to identify anomalies or suspicious behavior, occurring on critical servers and/or endpoints. The below-denoted query is capable of identifying external logons, emanating from the Internet, to Internal Hosts on the core network: source_name:"Microsoft-Windows-Security-Auditing" AND +(event_identifier:4624) (xml_string:"\>Data Name=\"LogonType\"\>2\" OR xml_string:"\>Data Name=\"LogonType\"\>3\" OR xml_string:"\>Data Name=\"LogonType\"\>4\" OR xml_string:"\>Data Name=\"LogonType\"\>5\" OR xml_string:"\>Data Name=\"LogonType\"\>7\" OR xml_string:"\>Data Name=\"LogonType\"\>8\" OR xml_string:"\>Data Name=\"LogonType...