50+ Cyber Security Courses at SANS 2020 in Orlando! Save up to $150 thru 3/4.


To attend this webcast, login to your SANS Account or create your Account.

Will that be one log or two? Logging before, during, and after an attack.

  • Wednesday, February 19th, 2020 at 3:30 PM EST (20:30:00 UTC)
  • Craig Bowser
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

You can now attend the webcast using your mobile device!


We all know logging is critical for monitoring activity on enterprise networks to detect malicious activity, especially on endpoints. Client side attacks are where adversaries are focused using a variety of methods including spear phishing and watering holes. Often most of the evidence of such an attack is at the user endpoint, that is in the host logs. Collection of logs from user endpoints is challenging already due to the volume and, if not carefully planed, can easily overwhelm the SIEM of any organization. But if an attack is occurring, these logs are invaluable in being able to detect (and thus alert on) the attack, for responding to the attack, performing forensic analysis to discover how and when the attack occurred, and after remediation has completed, monitoring for re-infections. While there are many guides (i.e. Microsoft, NSA, Palantir) for setting up a solid baseline logging configuration, there are few that discuss additional logs and/or items to monitor when machines are under attack, or at least under suspicion. Should all logs be enabled and collected or just a larger subset? If a subset, what is of most interest and value? 

In this webcast Craig will present pros and cons of each option and discuss some of the current standards for configuring logging on workstations, explain what types of attacks leave no, or minimal traces with regards to those configurations, and suggest additional logs to enable or collect when a host is suspected of being compromised.

Speaker Bio

Craig Bowser

Craig Bowser is an infosec professional with 15 years of experience in the field. He has worked as an Information Security Manager, Security Engineer, Security Analyst and Information System Security Officer in DoD, DOJ and Dept of Energy areas. He has some letters that mean something to HR departments. He is a Christian, Father, Husband, Geek, Scout Leader who enjoys woodworking, sci-fi fantasy, home networking, tinkering with electronics, reading, and hiking.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.