Auditing ALA Logs

As a part of security, we constantly review ALA logs generated based on priority 2,3,4. While P1 is taken with utmost priority with hourly updates.
In order to train freshers, It is inherently difficult to train each case and hence I decided to come up with a reference section as
What has happened?
How to proceed investigation?

This is ongoing and will update whenever new scenario is observed.




Event 566

Whereas event 565 logs the permissions requested by user/program, event 566 logs the permissions actually exercised by the user/program after opening it. While an object may accessed several times during the same open, Windows only logs event 566 the first time a given permission is actually exercised. This event is similar to 567 but is limited to Active Directory object accesses.


Recommendation: Do we need to log this? Instead we log them on adhoc basis for suspicious IP that is identified by any other investigation

Event 529

Failure Login Attempt

Event 529 is logged whenever an account fails to login,

Case 1: Bruteforce attempt by source ip — possibly infected
Case 2: Application trying to login (Login Type: 5) which could be authorized (needs confirmation) or unauthorized(indicating compromized)


Logon Type



 Interactive (logon at keyboard and screen of system) Windows 2000 records Terminal Services logon as this type rather than Type 10.


Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon – Never logged by 528 on W2k and forward. See event

About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s