Most of the good firewalls out there have the capability to identify suspicious activity and lof this information for you. However, there are some scenarios where you want more than just knowing what happened, you want to build a better footprint of the potential attack that the edge device is passing through. This post will explain how to combine the power of Event Viewer with the flexibility of Network Monitor Wizard to build trigger an action when an incident happen. To achieve that we will divide the post in two parts, this part one will explain the scenario, identify the issue and work on the data gathering process. For this post we will use Forefront TMG 2010 as our edge device; however the same approach can be used in any device that logs its major alerts to Windows Event Log.
The true value of having logging enabled on your system is the capability to review it and identify suspicious activities that took place during that time. In this particular case the Firewall Administrator identified the following entry in the Event Viewer:
When reviewing such event, pay attention to the following fields:
The reason why I added the flags is because usually when you raise two flags while analyzing potential suspicious activity you have enough reason to move forward in the investigation process. Is important to also mention that in this particular scenario, as I’m using Forefront TMG as example of Edge device, the same event that you see on Event Viewer will be also available at Monitoring/Alerts within TMG’s console as shown below:
Now that you identified the suspicious activity on your edge device and you know which IP address you should hunting for, you can move forward. The information gathering will vary according to your internal process to respond to incidents; however there are usually some commons steps that can be used during this process, such as:
All those methods are passive and the goal is only to know more about who is originating that suspicious traffic against your edge device.
The second part of this article will explain how to capture live data and how to connect the dots to formulate your final conclusion.