Transcription

J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021https://doi.org/10.3745/JIPS.03.0162ISSN 1976-913X (Print)ISSN 2092-805X (Electronic)A Model for Illegal File Access Tracking UsingWindows Logs and Elastic StackJisun Kim*, Eulhan Jo**, Sungwon Lee***, and Taenam Cho****AbstractThe process of tracking suspicious behavior manually on a system and gathering evidence are labor-intensive,variable, and experience-dependent. The system logs are the most important sources for evidences in thisprocess. However, in the Microsoft Windows operating system, the action events are irregular and the logstructure is difficult to audit. In this paper, we propose a model that overcomes these problems and efficientlyanalyzes Microsoft Windows logs. The proposed model extracts lists of both common and key events from theMicrosoft Windows logs to determine detailed actions. In addition, we show an approach based on the proposedmodel applied to track illegal file access. The proposed approach employs three-step tracking templates usingElastic Stack as well as key-event, common-event lists and identify event lists, which enables visualization ofthe data for analysis. Using the three-step model, analysts can adjust the depth of their analysis.KeywordsActive Directory, Digital Forensics, Elastic Stack, Microsoft Windows Log, Security, Shared Folder1. IntroductionDigital forensics is used to identify a malicious crimes suspect or forbidden behaviors on systems ornetworks, and to track evidences of such actions. Malicious users can attack a target system in manyways. The technique may not necessarily be a technical one. In accordance with the network environment,forensic research that is tailored to various environments, such the Internet of Things (IoT) and cloudcomputing, is being actively conducted [1,2].Digital evidences tend to be widely scattered, and because such evidences are intermingled with othertraces, identifying the key evidences manually is labor-intensive and tedious. Therefore, the experienceof experts is required. For conducting digital forensics, various tools are currently available, includingEnCase [3], Forensic Toolkit (FTK) [4], and AXIOM [5]. These tools categorize data in various ways tosupport digital forensic analysis. However, it is not possible for these tools to support all the variousdevices and applications currently in use. Moreover, although these tools can provide imaging of the diskcontaining evidence traces, or gathering and categorizing data in storage, they cannot provide trackingscenarios of specific events. Furthermore, these tools do not provide visualization; rather, they offer onlya text-based user interface in explorer form. It is consequently difficult to visualize at a glance the※ This is an Open Access article distributed under the terms of the Creative Commons Attribution Non-Commercial License (http://creativecommons.org/licenses/by-nc/3.0/) whichpermits unrestricted non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited.Manuscript received March 23, 2020; first revision June 22, 2020; accepted June 25, 2020.Corresponding Author: Taenam Cho ([email protected])*Igloo Security Inc., Secoul, Korea ([email protected])** BidCoaching Research Institute, Daejeon, Korea ([email protected])*** Izerone Digital Forensics Company, Jeonju, Korea ([email protected])**** Dept. of IT and Electronics Engineering, Woosuk University, Jincheon, Chungbuk, Korea ([email protected])www.kips.or.krCopyright 2021 KIPS

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Chocorrelation of various pieces of evidences.Microsoft Windows (hereinafter Windows) is the most widely used operating system [6], constituting54.6% of the global operating system market [7]. It offers the capability of storing various system logsfor auditing. We can save events by setting audit policy, and can check the events using Windows EventViewer. However, many events occur in Windows for even simple tasks, such as opening a file, and it istherefore difficult to identify the user actions from the events. This is because the stored logs often donot have information about the action that caused the events. Moreover, the events that one action triggersdiffer from case to case. The filtering structure of Event Viewer is too simple to filter out events of interestwhen multiple users performed multiple tasks in various ways.Security is not limited to server or network attacks by professional attackers. Auditing and tracking ofcomputer files are necessary for protecting trade secrets, preventing unauthorized access to informationor resources, and preventing data manipulation [8]. Studies to protect the integrity and ownership of fileshave been conducted [9]. However, this paper focuses on accessing files in shared folders on serversunder active directory (AD) [10]. Kim et al. [11] proposed a technique for extracting from complexWindows logs the key events that can track specific actions. In the present study, we organized the logclassification into three steps by segmenting and extending the classification. This structure enables theanalyst to adjust the trace depth in three steps. We additionally suggest dashboard templates using ElasticStack to visualize the tracking process.The remainder of this paper is as follows. Section 2 discusses the Windows audit system. Section 3introduces Elastic Stack. Section 4 presents and discusses the proposed event trace model. Section 5demonstrates event tracking using the proposed model. Section 6 provides conclusions and future work.2. Windows Audit SystemThe security audit policy settings under Security Settings\Local Policies\Audit Policy provide broadsecurity audit capabilities for client devices and servers that cannot use advanced security audit policysettings. The basic audit policy settings are audit account logon events, audit account management, auditdirectory service access, audit logon events, audit object access, audit policy change, audit privilege use,audit process tracking, and audit system events [12].2.1 Windows Audit PolicyWindows records and manages event logs in six categories: Account Logon, Account Management,Detailed Tracking, DS Access, Logon/Logoff, and Object Access. Our research is interested in AccountLogon, Logon/Logoff, Object Access categories and their subcategories. Table 1 describes categoriesand subcategories [13].Table 1. Categories and subcategories of interestCategoryAccount LogonLogon/LogoffObject AccessSubcategoryCredential Validation, Kerberos Authentication Service, Kerberos Service Ticket Operations,Other Logon/Logoff EventsAccount Lockout, User/Device Claims, IPsec Extended Mode, Group Membership, IPsec MainMode, IPsec Quick Mode, Logoff, Logon, Network Policy Server, Other Logon/Logoff Events,Special LogonCertification Services, Detailed File Share, File Share, File System, Filtering Platform Connection, Filtering Platform Packet Drop, Handle Manipulation, Kernel Object, Other ObjectAccess Events, Removable Storage, Central Access Policy StagingJ Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021 773

A Model for Illegal File Access Tracking Using Windows Logs and Elastic StackAs shown in Fig. 1, we can set policies to log the events that are required for auditing [14]. The figuredepicts an example of setting “Audit object access” to “Success, Failure” to record the events for theshared file that is the target of our study.Fig. 1. Windows audit policy setting.Fig. 2. Windows Event Viewer.2.2 Windows Event ViewerWindows provides an Event Viewer, which enables the viewing of event logs stored according to auditpolicy settings. Event Viewer can list the logs by category, such as Application or Security. Fig. 2 showsan example of selecting the Security category, including the keywords, date and time, event ID, and task774 J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Chofor the logs in this category. To view detailed information in the lower window, we can select an item fromthe list in the upper window. The details vary depending on the event. As we filter only the file accessrelated event (event ID: 5145) of interest, it shows the subject, file share information, and access mask.2.3 Analysis of Windows EventsIn the Event Viewer shown in Fig. 2, we can filter the logs by event-ID. However, this feature onlysupports very simple filtering; it does not support filtering by different attributes or multiple filteringconditions.When a user performs one action, the system generates many event logs. In many cases, it is difficultto identify the action that caused the events, because different events may occur for the same action.Table 2 outlines the events that occur when we “overwrote a file in a shared folder” twice. The useractions were the same; however, the first action produced 15 logs and the second action produced 26logs. Table 3 shows the meaning of each bit of the access masks [11,15].Table 2. Different events for the same behaviorsCase 1Case 2SequencenumberRelative target nameAccess maskRelative target name1Destination file name0x17019F\0x1200892Destination file name0x2Destination file name0x17019FAccess mask3Destination file name0x170197Destination file name0x24Destination file name0x2Destination file name0x1701975Destination file name0x170196Destination file name0x20x1701966Destination file name0x2Destination file name7Destination file name0x80Destination file name0x28Destination file name0x17019FDestination file name0x800x1000819Destination file name0x2\10Destination file name0x170197\0x10008111Destination file name0x2\0x10008112Destination file name0x170196Destination file name0x17019F13Destination file name0x2Destination file name0x214Destination file name0x17019FDestination file name0x17019715Destination file name0x2Destination file name0x216Destination file name0x17019617Destination file name0x218Destination file name0x17019F19Destination file 10008024\0x10008025Destination file name0x8026\0x100081“Destination file name” displayed in the Relative Target Name field is the name of the overwritten file.J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021 775

A Model for Illegal File Access Tracking Using Windows Logs and Elastic StackTable 3. Meaning of each bit of the access masksAccess maskAccess (neaning)0x1ReadDATA (or ListDirectory)0x2WriteDATA (or AddFile)0x4AppendData (or AddSubdirectory or D CONTROL0x40000WRITE DAC0x80000WRITE OWNER0x100000SYNCHRONIZE3. Elastic StackElastic Stack is a tool recently introduced for analysis visualization in various areas [16,17], includingthe security domain. Elastic Stack consists of Elasticsearch, Logstash, Kibana, and Beats. Elasticsearchis a search and analytics engine. Logstash is a server-side data processing pipeline that simultaneouslyconsumes data from multiple sources, transforms it, and then sends it to a “stash,” such as Elasticsearch.Kibana enables data visualization with charts and graphs in Elasticsearch. Beats is a family of lightweight,single-purpose data shippers in the Elastic Stack equation [18].Kibana supports a variety of charts, thereby enabling analysts to choose the appropriate chart for thesituation. Analysts can set various options on each chart, such as filter and annotation, to obtain a conciseresult from a considerable amount of information. In addition, dashboards can be organized by consolidatingthe various charts required for analysis. Hence, analysts can view the analysis process at a glance.Recently, many studies on applying Elastic Stack to data visualization have been actively conducted.In the security area, an increasing number of studies have employed Elastic Stack for security threatdetection and analysis. Park and Hyun [19] proposed a service that collects scattered web artifacts andprovides visualization using Elastic Stack for digital forensics. Kim and Shon [20] used Elastic Stack todetect cyber threats in industrial control systems. Lee and Yang [21] proposed an Elastic Stack-basedsecurity log analysis system. We performed an analysis on the windows logs in [22]. In this paper, wepresent a method to systematically classify logs based on the analysis results, and a method to supportanalysts by creating an analysis template using Elastic Stack.4. Proposed Event Trace Model4.1 Classification of Event LogsAs noted above, an action does not always generate the same events. It may generate different events,depending on the way of execution. We thus designed three event databases, as shown in Table 4,following the same procedure depicted in Fig. 3. First, we recorded the events that occurred by executing776 J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Choone action more than ten times in the same way. FullLog is a list of events that commonly occurred inone action. ComLog is a list of common events for each similar action group created by selecting commonevents from FullLog. Finally, IdLog is a list of events extracted from FullLog and is the list of minimumevents that can distinguish each action from other actions.Table 4. Classified log databasesLog databaseContentFullLogList of events that occur in common according to the actions and methods performed by the userComLogList of events that occur in common to similar action groupsIdLogList of events that can identify lists of FullLogFig. 3. Classification of logs based on the user’s action and method.Table 5. ComLog and IdLogComLogAction Relative targetgroupnameReadFile nameWriteDeleteFile nameSrc. file nameorDest. file nameIdLogAccess maskOperation0x120089OpenCopy to other computerFile/Save As to other computer0x12019F or0x17019F0x110080Relative targetnameFile nameAccess mask0x120089SaveFile nameFile name0x12019F0x120089Write (Window function)File name0x17019FWrite with File/Save AsOverwriteFile nameFile name0x1201960x170197 or0x170196Overwrite with File/Save AsFile name0x12019FSrc. file nameDest. file name0x1100800x110080 or0x1000810x10080Change file nameDeleteFile nameTable 5 outlines ComLog and IDLog. We divide the actions that cause the Open, Write, and Deleteevents into groups and record the common events that occur in each group in ComLog. To make IDLog,J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021 777

A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stackwe list the different actions that trigger the events of each group. Subsequently, we extract the events thatdistinguish each action. One event consists of a relative target name and an access mask. FullLog containsevent logs for various actions. Each action consists of multiple logs. Because of space constraints, theyare not included herein. Flist in Fig. 11 in Section 5.2 shows an example used in our experiment.4.2 Elastic Stack TemplateIllegal file leakage and tampering of shared files are major audit targets. There are various means ofcopying and modifying files. For example, a copy operation may occur before a modify operation. Weexperimented using various modification methods. The logs generated by the modification methods thusdiffered. Fig. 4 shows three representative cases. In the simplest Case 1, we modified the file on theserver. In Cases 2 and 3, we modified on the client’s computer and overwrote to the server’s shared folderrather than modifying in the server’s shared folder. Note that the file modification time is not the writtentime on the server but the modified time on the client [22]. In Case 3, we opened two files on the serverand client, respectively, then we copied the content from the server file and pasted into the client file.Fig. 4. Three methods to modify a shared file.Event tracking occurs in several steps. As described in Section 2.2, the Windows Event Viewerprovides only simple filtering. We thus used Kibana in Elastic Stack to configure the dashboard templateto incrementally filter and analyze the logs, as shown in Fig. 5. The dashboard for the file tamperingexample consists of two charts (Wchart and Rchart) and two lists (Flist and Rlist), as shown in Fig. 5. Toclarify the description, we define the symbols as follows: tc: Creation time - when the file was created tm: Modification time - when the file was most recently modified td: Detection time - when an auditor detects an illegal modification tw: Writing time - when the attacker wrote the file to the server778 J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Cho tr: Reading/Copying time - when the attacker read or copied the file S: Suspected user - a user suspected of being the attackerFig. 5. Dashboard template for file modification.J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021 779

A Model for Illegal File Access Tracking Using Windows Logs and Elastic StackWchart is used to identify the time (tw) of the most recent event in which the file was written/overwritten.In addition, it is possible to identify user S who caused the particular event. To more specifically track anattack, Rchart is used to identify the time (tr) when S read or copied the file. Table 6 summarizes theoptions for constructing these charts. Annotations in the options are access masks to track. In Wchart,event IDs in IdLog are used as options for various ways of generating write/overwrite events. If one aimsto ignore the write method used, only 0x12019F and 0x17019F in ComLog need be set for the writegroup. In Rchart, the start of the time range is set to tc; however, it can be set to the last file backup time.We call the list of events selected from FullList for comparison Flist.Table 6. Options and objectives of the dashboard chartsChartTime rangeAnnotation(access mask)FilterWcharttm to tdEvent ID (5145),Target file name0x12019F,0x170196,0x17019F,0x120196Rcharttc to tmEvent ID (5145),Target file name,Subject name0x120089Group by(count)Purpose(result)Subject user name Determine suspect S, writetime tw, and write methodAccess mask(0x100080)Check read or copy actionIn addition, Rlist lists events extracted from RawLog to identify the exact file copy method by checkingdetailed events on the suspect’s operation. Unlike writing, it is difficult to distinguish between copyingand reading; thus, it is necessary to compare them with FullLog on read/copy operations. Flist iscomposed of the FullLog to be compared. Table 7 summarizes the options for constructing these lists.Table 7. Options and objectives of the dashboard listsListSelected fieldsTime rangeRlistEvent ID,Relative Target Name,Subject User Name,Access Masktc to tmFlist--FilterEvent ID: 5145,Target file name,Subject nameAccess mask:0x100080,0x120089,0x100081-Purpose (result)Confirm actionusing FullLogCompare to Rlist4.3 Event Tracing ProcessEvent tracing consists of preparation and analysis phases, as shown in Fig. 6. The preparation phaseconsists of P1, P2, and P3 steps as follows: P1: Create RawLog by setting the audit policy, as given in Section 2.1, to save the required logs. P2: Prepare FullLog, ComLog, and IdLog by analyzing and classifying RawLog according to themethod given in Section 4.1. P3: Prepare dashboard templates for major attacks using ComLog and IdLog.For example, if a file is suspected of being manipulated at time td, the file modification time is confirmedas tm then the analysis begins. The analysis phase consists of steps A1, A2, and A3 using the dashboarddescribed in Section 4.2.780 J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Cho A1: Display RawLog in Wchart with td, tm, the name of the file suspected of having beenmanipulated, event ID (5145), and the write-related access masks outlined in Table 5. Findsuspect S, file modification time tw, and the write method used in the last event in Wchart. A2: Add S to the Rchart option and change the option to the read-related access masks todetermine the read or copy operation that was performed before the modification. A3: For the actions found in A1 and A2, the estimated suspect and actions are confirmed bycomparing the corresponding FullLog and RawLog and by confirming the occurrences andorders of the detailed events.If only a simple verification procedure is required, the analyst can verify the suspect’s crimes with theresults of A1. However, proceeding to A2 and A3, the analyst can obtain detailed evidence of the action.Therefore, the analyst may choose the depth of the evidence trace depending on the situation.Fig. 6. Tracing process.5. Experiment and Result5.1 Experimental EnvironmentTo evaluate the proposed model, we constructed the environment as shown in Fig. 7. Table 8 showsthe operating system and software version used. We configured the audit policy in the AD server [23] tolog events for “object access,” and set up Winlogbeat on the AD server to send the event logs to LogstashFig. 7. Experimental environment.J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021 781

A Model for Illegal File Access Tracking Using Windows Logs and Elastic Stackon the Elastic Stack server in real time. On the Elastic Stack server, Logstash receives event logs fromWinlogbeat and stores them as RawLog. FullLog, IdLog, and ComLog are constructed in table form byanalyzing the file access logs in the shared folder. Users Kim, Jo, and Kwak are connected to the ADserver as clients.Table 8. Software versionsComputerActive Directory serverSoftwareVersionActive Directory clientOSWinlogbeatOSWindows Server 20167.5.2-windoWindows 10Elastic Stack serverOSCentOS Linux release .8.6-1.noarch6.8.6-1.x86 645.2 Case AnalysisWe generated a tampering action for a shared file in the AD server that produced complex logs asfollows. The file secret.doc in the subfolder Kim of the shared folder is a file whose integrity must beguaranteed. Kwak copied secret.doc to his computer and modified it. He overwrote the modified file ontothe server’s original file. Fig. 8 shows the timeline of these actions. The actual unit of time stored in thesystem is milliseconds; however, for convenience, it is here expressed in minutes.Fig. 8. Timeline of secret.doc modification and detection.Suppose, March 10, 2020 at 17:30, it is determined that secret.doc has been manipulated. The lastmodification time of the file is March 10, 2020 at 16:15. As shown in Fig. 9, using Wchart, we can identifythe user who tampered with the file as being Kwak. It is also possible to determine that Kwak overwrotethe file by using “ C & V” or “drag & drop” on “Mar 10, 2020, 4:54 PM” based on the access mask(0x170196) and time in the annotation. Unfortunately, using the Windows event log it is impossible todetermine which overwrite method was used.Next, as shown in Fig. 10, we used Rchart to verify that Kwak had read the file several times beforeoverwriting it. In Rchart, it was possible to view only the file that had been read for copying severaltimes. To determine the specific copy method, Flist and Rlist were compared, as shown in Fig. 11. Thecomparison shows that Kwak opened secret.doc and then used the "Save as" function in the file menu tosave the file on his computer.782 J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam ChoFig. 9. Identifying the suspect and write time using Wchart.Fig. 10. Identifying the reading action of the suspect using Rchart.Fig. 11. Detailed actions of the confirmed perpetrator.J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021 783

A Model for Illegal File Access Tracking Using Windows Logs and Elastic StackIt can therefore be concluded that Kwak copied secret.doc to his computer by using “File/Save as” onMarch 10, 2020 at 13:31:57.068, modified and saved it in his computer on March 10, 2020 at 16:15, andthe overwrote it on the server on March 10, 2020 at 16:54.6. ConclusionIn this study, we built databases by analyzing complex Windows logs, extracting events that occurredin common for each action on shared files, identifying minor events to distinguish actions, and identifyingcommon events for similar actions. In addition, we designed a dashboard template using Elastic Stackfor visual analysis. When an action that requires auditing occurs, the stored event logs can be analyzedby comparing them with the reference databases in the dashboard templates. Evidences of the suspectand action for the events can be selected by adjusting the analysis depth.In this study, we collected and analyzed logs only from the AD server. However, it is necessary toanalyze the logs on the suspect’s computer to produce a complete collection of behavior evidences.Therefore, further research is needed to extend the model so that client logs can also be sent to ElasticStack for analysis. In addition, the databases must be extended to analyze the event logs for other actionsand event logs on the client side. One of the limitations of our study is that Windows logs are not sufficientfor file tracking. For example, it is not possible to distinguish whether “ C & V” or “drag & drop” isused as a file copy method. Elaboration of Windows log is necessary considering digital forensics.AcknowledgementThis research was supported by the Basic Science Research Program through the National ResearchFoundation of Korea (NRF) funded by the Ministry of Education (No. NRF-2017R1D1A3B03032637).References[1] A. Nieto and R. Rios, “Cybersecurity profiles based on human-centric IoT devices,” Human-centric Computing and Information Sciences, vol. 9, article no. 39, 2019. https://doi.org/10.1186/s13673-019-0200-y[2] P. K. Sharma, J. H. Ryu, K. Y. Park, J. H. Park, and J. H. Park, “Li-Fi based on security cloud framework forfuture IT environment,” Human-centric Computing and Information Sciences, vol. 8, article no. 23, 2018.https://doi.org/10.1186/s13673-018-0146-5[3] OpenText, “EnCase software,” 2021 [Online]. Available: https://www.guidancesoftware.com.[4] Exterro Inc., “Forensic Toolkit (FTK),” 2021 [Online]. Available: https://www.exterro.com/forensic-toolkit.[5] Magnet Forensics, “AXIOM,” 2021 [Online]. Available: https://www.magnetforensics.com.[6] CaTalk, “Top 7 PCs shared by world/domestic,” 2020 [Online]. Available: tems.html.[7] G2 Inc., “Best Operating System,” 2021 [Online]. Available: https://www.g2.com/categories/operating-system.[8] Z. Zhang, C. Wang, and X. Zhou, “A survey on passive image copy-move forgery detection,” Journal ofInformation Processing Systems, vol. 14, no. 1, pp. 6-31, 2018.784 J Inf Process Syst, Vol.17, No.4, pp.772 786, August 2021

Jisun Kim, Eulhan Jo, Sungwon Lee, and Taenam Cho[9] C. Wang, H. Zhang, and X. Zhou, “LBP and DWT based fragile watermarking for image authentication,”Journal of Information Processing Systems, vol. 14, no. 3, pp. 666-679, 2018.[10] Microsoft, “Active Directory Domain Services overview,” 2017 [Online]. Available: ry-domain-services-overview.[11] J. Kim, M. Kwak, S. Lee, and T. Cho, “File tracking technique with active directory event log,” in Proceedingsof the 2020 World Congress on Information Technology Applications and Services, Seoul, Korea, 2020.[12] Microsoft, “Audit policy,” 2017 [Online]. Available: olicy.[13] Microsoft, “Advanced security audit policy settings,” 2017 [Online]. Available: -policy-settings.[14] Microsoft, “Basic security audit policies,” 2017 [Online]. Available: licies.[15] Microsoft, “5145(S, F): a network share object was checked to see whether client can be granted desiredaccess,” 2017 [Online]. Available: threat-protection/auditing/event-5145.[16] K. Kim and Y. Cho, “Multi-index approach to search Chinese, Japanese, and Korean text with Elasticsearch6.6,” Proceedings of International Conference on Future Information & Communication Engineering , vol.11, no. 1, pp. 257-260, 2019.[17] S. Persada, A. Oktavianto, B. Miraja, R. Nadlifatin, P. Belgiawan, and A. P. Redi, “Public perceptions ofonline learning in developing countries: a study using the ELK Stack for sentiment analysis on twitter,”International Journal of Emerging Technologies in Learning (iJET), vol. 15, no. 9, pp. 94-109, 2020.[18] ElasticSearch, “ELK Stack,” 2021 [Online]. Available: https://www.elastic.co/what-is/elk-stack.[19] J. Park and J. Hyun, “Web artifacts visualization using ElasticSearch and Kibana,” in Proceedings of theIEEK Summer Conference, 2019, pp. 1350-1353.[20] Y. Kim and T. Shon, “Cyber-threat detection of ICS using Sysmon and ELK,” Journal of the Korea Instituteof Information Security & Cryptology, vol. 29, no. 2, pp. 331-346, 2019.[21] B. H. Lee and D. M. Yang, “A security log analysis system using Logstash based on Apache Elasticsearch,”Journal of the Korea Institute of Information and Communication Engineering, vol. 22, no. 2, pp. 382-389,2018.[22] J. Kim, M. Kwak, S. Lee, and T. Cho, “File tracking technique with active directory event log,” inProceedings of the 14th KIPS International Conference on Ubiquitous Information Technologies and Applications, Macau, China, 2019.[23] J. Krause, Mastering Windows Server 2016. Birmingham, UK: Packt Publishing, 2016.Jisun Kimhttps://orcid.org/0000-0003-3637-9844She received a B.S. degree in information secu

settings. The basic audit policy settings are audit account logon events, audit account management, audit directory service access, audit logon events, audit object access, audit policy change, audit privilege use, audit process tracking, and audit system events [12]. 2.1 Windows Audit Policy Windows records and manages event logs in six .