Log mining
Anton Chuvakin wrote a nice piece about a log analysis he performed on a compromised box. It was interesting to see some techniques I'm using on my work and on my master thesis. He also mentioned some experience on profiling users (the information that one week to one month is enough was very valuable to me) and some types of analysis that can be made following that concept.I'm trying to build something in that way not only based on users accounts, but also for computers, services, applications, physical locations and many other "entities". My goal is to end with a list of common situations (observables) that can be used to detect anomalies usually linked to the presence of an attacker.And sorry Dr.A, I'm planning to try that in a SIEM way instead of a log analysis approach :-)