How to analyze firewall authentication events?

Analyzing firewall logs: Authentication events

In any device, monitoring authentication failures is essential because they give a picture of unauthorized access attempts that might lead to lead tampering of the resources. Although it might look trivial, it is also important to continuously monitor and analyze successful authentication events as well. These events can help you spot unauthorized access attempts from the legitimate administrator logins.

Different firewall vendors have different formats, message IDs, and methods to access the authentication logs.

device="SFW" date=2017-01-31 time=18:13:40 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=062910617703 log_type="Event" log_component="Firewall Authentication" log_subtype="Authentication" status="Successful" priority=Information user_name="jsmith" usergroupname="Open Group" auth_client="Web Client" auth_mechanism="N/A" reason="" src_ip=10.198.47.71 src_mac= start_time=1485866617 sent_bytes=1233 recv_bytes=1265 message="User jsmith was logged out of firewall" name="jsmith" timestamp=1485866620

In the above log, the user jsmith tried to login to firewall device and the login was successful. This event also indicates that the user was successfully logged out from the firewall. Additionally, this log also provides details such as the sent bytes, received bytes, the source IP from which the user logged in, and more. Often, security administrators would also want to conduct an audit trail to find out the users who logged in but never logged out of firewall, total unauthorized access attempts from a specific IP or user. To get a comprehensive information such as these, manually analyzing logs could be tiresome.

Administrative permissions/ Privilege escalations

Administrator can control all the activities happening in a network. Accounts with administrative privilege can create, delete, and modify any object in the network. It is always recommended to minimize the number of administrative accounts in a network. This way, it will be easy to identify a hacker's account with the administrative permission.

Hackers usually create an account with higher privileges to gain access to critical information in the network.This will help them to move laterally across the network before launching an attack. Hence, it is important to monitor the firewall logs, to identify the accounts with elevated privileges.

Check out EventLog Analyzer, a comprehensive log management solution that offers predefined reports such as top failed authentications based on source and user, authentication trends, and more.

Furthermore, the solution also comes with built-in reports for other critical account management events such as an administrator role being added, deleted, or modified and more.