Auditing printer activities with EventLog Analyzer

This tutorial helps you navigate the printer auditing capabilities of EventLog Analyzer.

Before you begin, enable logging in your print server and add the logs for monitoring in the EventLog Analyzer console.

Use cases: Auditing printers using EventLog Analyzer

EventLog Analyzer covers the use cases described below for windows print servers with its security auditing reports. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.

Use Case Description Why track this? How EventLog Analyzer helps
Resource abuse Track users who print large documents consistently, leading to excessive printing costs. To identify and address wasteful printing habits, optimize resource allocation, and potentially reduce printing costs. These out-of-the-box reports help you identify printer resource abuse:
  • Documents Printed
  • Top printed documents based on users
Print job failure analysis Investigate the root cause of frequent document printing failures, such as corrupted documents or printer errors. To improve printing efficiency, troubleshoot printer issues, and ensure smooth printing operations. The Failed printer activity - Trend report gives insights into the failure ofa print job.
Monitoringuser printing activity Track and analyze all printing activities initiated by users within your organization. To enhance data security by identifying potential leaks or misuse of sensitive information. The following reports can help monitor printing activities:
  • Documents Printed
  • Top printed documents based on users
  • Printer Activity trend
Print server overload Continuously monitor printing activity to identify potential overload on the print server, leading to slow printing or job failures. To maintain printing performance and prevent disruptions to user productivity. The Documents Printed report can be configured to be generated on a monthly or quarterly basis, depending on your needs.

Threat detection use cases

The following table lists the use cases for detecting threats on print servers. This tutorial lists all the out-of-the-box detection rules used to detect threats. However, you can use the custom rule creation wizard to build your own detection rules.

Use case Description Event ID Relevant MITRE ATT&CK techniques and tactics Detection logic or rules
Unusual printing patterns Detect spikes in printing activity that could be indicative of a malware attack or unauthorized access. Event ID 307, 805
  • Techniques: T1078 - Valid Accounts, T1059 - Command and Scripting Interpreter
  • Tactics: Defense Evasion, Persistence, Privilege Escalation, Initial Access
 Unusual printer activity trends identified from the Print Activity Trends report
Potential data leak Detect unauthorized attempts to print documents. Event ID 307
  • Techniques: T1078 - Valid Accounts,T1110 - Brute Force
  • Tactics:Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential AccessExecution
 Insufficient privileges to print
Document tampering Identify unauthorized modifications to documents before printing, suggesting potential tampering attempts. Event ID 4656, 4663, 4670, 4660, 5145
  • Techniques:T1036 - Masquerading
  • Tactics: Defense Evasion
 Documents' priority changed
Suspicious printing activity Identify users printing an unusually high volume of documents outside of regular work hours. Event ID 307, 805, 842, 701
  • Techniques: T1059 - Command and Scripting Interpreter
  • Tactics: Execution
  • The Documents printed alert profile modified to be set after business hours
  • The Documents printed alert profile enabled with a smart threshold to capture unusually high volumes of documents printed

Data security use cases

The following table elaborates on the data security use cases covered by EventLog Analyzer for print servers.

Use case Event ID Relevant MITRE ATT&CK techniques Relevant rules and capabilities
Data exfiltration attempts Event ID 4625, 4648, 4768
  • Techniques:T1110 - Brute Force
  • Tactics:Credential Access
 Under correlation: Insufficient privilege to print documents
Data breach Event ID 4663, 5145
  • Techniques: T1190 - Exploit Public Facing Application, T1078 - Valid Accounts, T1485 - Data Destruction
  • Tactics:Initial Access, Defense Evasion, Persistence, Privilege Escalation, Impact
 Under correlation:
  • Insufficientprivilege to print documents
  • Top printed documents
  • Printer Activity Trends
  • Failed Printer Activity Trends

Compliance

Print servers, often overlooked, can be a significant vulnerability if not properly monitored and secured. This section explores how print server monitoring reports can be utilized to address specific compliance requirements for data security and access control.

Compliance requirements: Solution mapping for a print server platform

EventLog Analyzer reports and alerts Detection rules Regulatory mandates Requirements
  • Documents Printed
  • Deleted Documents
  • Timed Out Documents
  • Moved Documents
  • Resumed Documents
  • Paused Documents
  • Corrupted Documents
  • Document's priority changes
  • Insufficient Privilege to Print Documents
  • Insider threat detection
  • Removable device auditing
  • Denial-of-service attack detection
 SOX
  • SEC 302 (a) (4) (A)
  • SEC 302 (a) (5) (A)
  • SEC 302 (a) (5) (B)
  • Documents Printed
  • Deleted Documents
  • Timed Out Documents
  • Moved Documents
  • Resumed Documents
  • Paused Documents
  • Corrupted Documents
  • Document's priority changes
  • Insufficient Privilege to Print Documents
   ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
    GDPR
  • GDPR ARTICLE 5 (1D)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1B)
  • GDPR ARTICLE 32 (1D)
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
Cyber Essentials User Access Control
CCPA and CPRA Section 1798.150.(a)
NERC CIP 005-6 R1.3CIP 007-6 R5.3
 

Additional Resource

Print server log monitoring