From 914b5b6e61dd2990d2cf5a8d2809f8a3d9e7c753 Mon Sep 17 00:00:00 2001 From: Tony Phipps Date: Wed, 29 Nov 2023 10:30:03 -0700 Subject: [PATCH] Update Identification.md --- Identification.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Identification.md b/Identification.md index b38656c..df67da3 100644 --- a/Identification.md +++ b/Identification.md @@ -2,4 +2,13 @@ - What is the size of the event log file? Is it at least as large as policy requires? - What is the oldest event recorded? Is it at least as old as policy requires? - Which Event IDs can be filtered out, having no value to the investigation? -- Are there any Security Event ID 1102 events present (log cleared)? + +#### Security +- Review any Security Event ID 1102 events present (log cleared). + +#### System +- Note any Event ID 1074 (Power off intiated) +- Note any Event ID 27 (Network link is disconnected) +- Note any Event ID 33 (Network link has been established) +- Note any Event ID 13 (The operating system is shutting down at system time xxxx) +- Note any Event ID 12 (The operating system started at system time xxxx)