QUESTION
Which logs should be submitted in response to a VSA Security Incident?
RESOLUTION
Depending on the incident type, the logs needed will vary. For a compromised account, like a malicious actor gaining access to a user's password we would need the below artifacts. It is always best to ensure 2FA is enabled on all accounts.
The primary artifacts that are used in most investigations are:
- Edge Services logs – proxies requests from agents and web requests
- IIS logs – web transactions
- Event Logs – determine the extent and nature of system compromise
- Service Information – check for unknown/malicious services and startup programs
- Task Information – review of active processes
- File Listing – corroborate unknown/malicious artifacts
- VSA Audit Tables – check for patterns of behavior and account activity
Note that investigation is facilitated by knowing information about the incident. Please provide as much information related to identifying the incident, timeframe of the incident, and related activity. Questions to answer include:
- When was the incident identified (date, time, timezone)?
- How was the incident identified?
- Is there known evidence corroborating the incident identified (sources, screenshots)?
- Have any abnormal activities occurred recently or in the near past that may relate to this incident?
- What malicious activity was attempted and was successful?