Two More Days to Get an iPad Air w/ Smart Keyboard with any 5 or 6 Day SANS Training - Register Today!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Will that be one log or two? Logging before, during, and after an attack.

  • Wednesday, February 19, 2020 at 3:30 PM EST (2020-02-19 20:30:00 UTC)
  • Craig Bowser

You can now attend the webcast using your mobile device!



We all know logging is critical for monitoring activity on enterprise networks to detect malicious activity, especially on endpoints. Client side attacks are where adversaries are focused using a variety of methods including spear phishing and watering holes. Often most of the evidence of such an attack is at the user endpoint, that is in the host logs. Collection of logs from user endpoints is challenging already due to the volume and, if not carefully planed, can easily overwhelm the SIEM of any organization. But if an attack is occurring, these logs are invaluable in being able to detect (and thus alert on) the attack, for responding to the attack, performing forensic analysis to discover how and when the attack occurred, and after remediation has completed, monitoring for re-infections. While there are many guides (i.e. Microsoft, NSA, Palantir) for setting up a solid baseline logging configuration, there are few that discuss additional logs and/or items to monitor when machines are under attack, or at least under suspicion. Should all logs be enabled and collected or just a larger subset? If a subset, what is of most interest and value? 

In this webcast Craig will present pros and cons of each option and discuss some of the current standards for configuring logging on workstations, explain what types of attacks leave no, or minimal traces with regards to those configurations, and suggest additional logs to enable or collect when a host is suspected of being compromised.

Speaker Bio

Craig Bowser

Craig Bowser is an infosec professional with 15 years of experience in the field. He has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer in DoD, DOJ and Dept of Energy areas. He has some letters that mean something to HR departments. He is a Christian, Father, Husband, Geek, Scout Leader who enjoys woodworking, sci-fi fantasy, home networking, tinkering with electronics, reading, and hiking.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.