CN117714176A - Windows active directory processing method, device and storage medium - Google Patents
Windows active directory processing method, device and storage medium Download PDFInfo
- Publication number
- CN117714176A CN117714176A CN202311752309.1A CN202311752309A CN117714176A CN 117714176 A CN117714176 A CN 117714176A CN 202311752309 A CN202311752309 A CN 202311752309A CN 117714176 A CN117714176 A CN 117714176A
- Authority
- CN
- China
- Prior art keywords
- log
- attack
- active directory
- security
- windows
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003860 storage Methods 0.000 title claims abstract description 13
- 238000003672 processing method Methods 0.000 title claims abstract description 10
- 238000012545 processing Methods 0.000 claims abstract description 33
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000004458 analytical method Methods 0.000 claims abstract description 10
- 238000012216 screening Methods 0.000 claims abstract description 5
- 230000005856 abnormality Effects 0.000 claims abstract description 3
- 238000012544 monitoring process Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000003306 harvesting Methods 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 2
- 238000009434 installation Methods 0.000 claims description 2
- 230000002411 adverse Effects 0.000 abstract description 3
- 230000000694 effects Effects 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to a Windows active directory processing method, a device and a storage medium, wherein agent proxy software is deployed in a Windows active directory server, and security log content is collected through the agent proxy and sent back to a log centralized processing server for judging attack events, and the specific steps include: reading the security log content acquired by the agent in real time; identifying log information in real time, and screening to obtain discrimination keywords; judging the attack event based on the judging key words obtained by the identification screening and the defined attack event; pushing the attack event information obtained by judgment to a manager. Compared with the prior art, the method and the system can accurately match key security event information in real time, locate the problem to find the attack source, improve the accuracy of log reading analysis, timely find and treat the abnormality after the active directory is attacked, improve the treatment efficiency, and greatly reduce adverse effects caused by security attack events.
Description
Technical Field
The invention relates to the technical field of data acquisition, in particular to a agent-based Windows active directory processing method.
Background
Currently, with the increasing emphasis of network security problems developed in the information technology, network attacks from the outside are increasing, and in the face of the severe situation of network security, how to build a secure Windows active directory environment with high quality, high stability and high reliability is a major issue that we have to consider.
The Windows active directory environment is used as a production and office centralized rights management scheme, and is faced with a large number of security attack events at any moment, the domain control still lacks an effective early warning means at present, and once the domain control is broken, various security problems such as data leakage, service interruption and the like can be caused.
Thus, an ability to help improve security monitoring of Windows active directory environments becomes essential.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a Windows active directory processing method.
The aim of the invention can be achieved by the following technical scheme:
the method comprises the steps of deploying agent proxy software in a Windows active directory server, collecting safety log content through the agent proxy and sending the safety log content back to a log centralized processing server for judging attack events, wherein the specific steps comprise:
the log centralized processing server reads the security log content acquired by the agent in real time;
the log centralized processing server identifies log information in real time, and screens to obtain discrimination keywords;
the log centralized processing server judges the attack event based on the judging key words obtained by the identification and screening and the defined attack event;
the log centralized processing server pushes the attack event information obtained through discrimination to a manager.
Compared with the prior art, the invention has the following beneficial effects:
1) The server of Windows active directory has large data, various security logs, a large number of log records can be generated every day, the log content is read in real time through the agent, the log information is identified in real time, and the key security event information can be matched accurately by matching with the data query analysis technologies such as ELK, HADOOP and the like, so that an administrator can be helped to locate the problem, find the attack source, and solve the problem of manual accuracy in log reading analysis.
2) Through agent, can realize 7 by 24 hours' control, cooperate means such as zabbix, SOC, SNMP, can in time discover the time after the active directory is attacked, in time handle the unusual, promote and handle efficiency, can alleviate the adverse consequence that the security attack incident brought greatly.
Drawings
FIG. 1 is a schematic deployment diagram of a Windows active directory harvest system of the present invention;
FIG. 3 is a flow chart of the Windows active directory processing method of the present invention for reading log content in real time;
FIG. 2 is a flow chart of real-time data processing of the Windows active directory processing method of the present invention;
fig. 4 is a topology diagram of the Windows active directory harvest system of the present invention.
Detailed Description
The invention will now be described in detail with reference to the drawings and specific examples. The present embodiment is implemented on the premise of the technical scheme of the present invention, and a detailed implementation manner and a specific operation process are given, but the protection scope of the present invention is not limited to the following examples.
Example 1
The invention deploys agent proxy software on the Windows active directory server, collects the security log content through the agent proxy and sends the security log content back to the log centralized processing server for judging the attack event. Specific system deployment is shown in fig. 1, the invention is based on a C/S architecture from the deployment architecture, a agent is installed on a server of a Windows active directory, and security logs of the active directory are collected and concentrated to a log analysis server end for analysis through the agent, so that security monitoring of the Windows active directory environment is realized.
1) The invention discloses a method for reading the safe log content collected by a agent in real time by a log centralized processing server, which is characterized in that the server data of Windows active directory is large, the safe log is various, a large number of log records can be produced every day, the log content is read in real time by the agent software, and the specific reading flow is shown in figure 2:
s11, acquiring a Windows security event log;
s12, positioning the file read last time;
s13, circularly reading the new content of the security event log,
s14, storing the read newly added content into a temporary file;
s15, after the attack event of the newly added content in the temporary file is judged, the temporary file is emptied.
The object for reading the log content in real time is Windows safety log; the requirements for reading are as follows: windows opens a detailed security audit policy.
2) The log centralized processing server identifies log information in real time, is matched with data query analysis technologies such as ELK, HADOOP and the like, can accurately match key security event information, screens key words such as user names, event ids, source addresses, target addresses and the like, completes preliminary attack discrimination through attack events defined on the system, then pushes information to an administrator, helps the administrator to accurately locate problems, finds attack sources, and solves the problem of manual accuracy in log reading analysis. The administrator can also add and update attack definitions in the database system (Elasticsearch, hbase and other NoSQL databases) to improve the full coverage and accuracy of attack event definitions. FIG. 3 is a flow chart showing the data processing of the collected Windows active directory according to the present invention.
According to the invention, the agent can realize monitoring for 7 x 24 hours, and can discover events in time and treat anomalies in time after the active directory is attacked by cooperating with monitoring alarm means such as zabbix, SOC, SNMP, so that the treatment efficiency is improved, and adverse consequences caused by security attack events can be greatly reduced.
Finally, the log centralized processing server receives whether the attack event fed back by the manager is a real attack or not; if not, adding the attack event into a white list; if yes, warning the manager to handle and trace the attack.
By the agent, besides collecting security attack events, system configuration including network configuration information, security baseline configuration information, security patch installation information, group policy configuration information, registry configuration information, browser configuration information, running process information and other security information can be collected and analyzed through the processing flow to perform matching, if abnormality exists, an administrator is notified to perform processing repair, and the system is ensured to be in a safe and reliable running state all the time.
Example 2
As a second aspect of the present invention, the present application also provides an electronic device, including: one or more processors; a memory for storing one or more programs; when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the Windows active directory processing method as described above. In addition to the above-mentioned processor, memory and interface, any device with data processing capability in the embodiments generally may further include other hardware according to the actual function of the any device with data processing capability, which will not be described herein.
Example 3
As a third aspect of the present invention, there is also provided a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement a Windows active directory processing method as described above. The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may also be an external storage device, such as a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), or the like, provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any device having data processing capabilities. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
The foregoing describes in detail preferred embodiments of the present invention. It should be understood that numerous modifications and variations can be made in accordance with the concepts of the invention by one of ordinary skill in the art without undue burden. Therefore, all technical solutions which can be obtained by logic analysis, reasoning or limited experiments based on the prior art by the person skilled in the art according to the inventive concept shall be within the scope of protection defined by the claims.
Claims (10)
1. The method is characterized in that agent proxy software is deployed in a Windows active directory server, and security log content is collected through the agent proxy and sent back to a log centralized processing server for judging attack events, and the method specifically comprises the following steps:
the log centralized processing server reads the security log content acquired by the agent in real time;
the log centralized processing server identifies log information in real time, and screens to obtain discrimination keywords;
the log centralized processing server judges the attack event based on the judging key words obtained by the identification and screening and the defined attack event;
the log centralized processing server pushes the attack event information obtained through discrimination to a manager.
2. The method for processing the Windows active directory according to claim 1, wherein the specific step of the centralized log processing server reading the log content in real time comprises the steps of:
acquiring a Windows security event log;
positioning the file read last time;
circularly reading the newly-added content of the security event log, and storing the read newly-added content into a temporary file;
judging an attack event for newly added content in the temporary file;
and after the new added content in the temporary file is judged to be an attack event, the temporary file is emptied.
3. The method for processing the Windows active directory according to claim 2, wherein the object for reading the log content in real time is a Windows security log; the requirements for reading are as follows: windows opens a detailed security audit policy.
4. The method for processing the Windows active directory according to claim 1, wherein the log centralized processing server identifies log information in real time as follows:
identifying log information and matching key security event information by adopting a data query analysis technology, wherein the data query analysis technology comprises ELK and HADOOP;
screening a judging keyword, and completing attack judgment through defined attack events, wherein the judging keyword comprises the following components: user name, event id, source address and destination address.
5. The method of claim 4, wherein the definitions of the attack events are stored in a database system, and wherein the database system supports the addition and updating of the definitions of the attack events.
6. The method for processing the Windows active directory according to claim 1, wherein the method adopts a monitoring alarm means for reminding of handling abnormality after the active directory is attacked, wherein the monitoring alarm means comprises: zabbix, SOC, and/or SNMP.
7. The method for processing the Windows active directory according to claim 1, wherein the agent collects all security class information of the system configuration, including network configuration information, security baseline configuration information, security patch installation information, group policy configuration information, registry configuration information, browser configuration information, and running process information.
8. The method for processing the Windows active directory according to claim 1, wherein the log centralized processing server receives whether the attack event fed back by the manager is a real attack;
if not, adding the attack event into a white list;
if yes, warning the manager to handle and trace the attack.
9. A Windows active directory harvest device comprising a memory, a processor, and a program stored in the memory, wherein the processor implements the method of any of claims 1-8 when executing the program.
10. A storage medium having a program stored thereon, wherein the program, when executed, implements the Windows active directory processing method according to any one of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311752309.1A CN117714176A (en) | 2023-12-19 | 2023-12-19 | Windows active directory processing method, device and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311752309.1A CN117714176A (en) | 2023-12-19 | 2023-12-19 | Windows active directory processing method, device and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117714176A true CN117714176A (en) | 2024-03-15 |
Family
ID=90147714
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311752309.1A Pending CN117714176A (en) | 2023-12-19 | 2023-12-19 | Windows active directory processing method, device and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117714176A (en) |
-
2023
- 2023-12-19 CN CN202311752309.1A patent/CN117714176A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8032489B2 (en) | Log collection, structuring and processing | |
CA2957315C (en) | Log collection, structuring and processing | |
US8984331B2 (en) | Systems and methods for automated memory and thread execution anomaly detection in a computer network | |
US6347374B1 (en) | Event detection | |
CN111614696B (en) | Network security emergency response method and system based on knowledge graph | |
EP1782322A1 (en) | Methods, computer program products and data structures for intrusion detection, intrusion response and vulnerability remediation across target computer systems | |
US20200366706A1 (en) | Managing supersedence of solutions for security issues among assets of an enterprise network | |
CN108092936A (en) | A kind of Host Supervision System based on plug-in architecture | |
US20220201016A1 (en) | Detecting malicious threats via autostart execution point analysis | |
US20220366038A1 (en) | Known-Deployed File Metadata Repository and Analysis Engine | |
CN111782481B (en) | Universal data interface monitoring system and monitoring method | |
US20210160241A1 (en) | System And Method For Identification Of Information Assets | |
CN117714176A (en) | Windows active directory processing method, device and storage medium | |
JP2006114044A (en) | System and method for detecting invalid access to computer network | |
CN111258712B (en) | Method and system for protecting safety of virtual machine under virtual platform network isolation | |
US11966472B2 (en) | Known-deployed file metadata repository and analysis engine | |
US20220366042A1 (en) | Known-Deployed File Metadata Repository and Analysis Engine | |
US20240152625A1 (en) | Locating Potentially-Exploitable Software Dependencies | |
Schmidt et al. | Software Inventory Message and Attributes (SWIMA) for PA-TNC | |
WO2022150932A1 (en) | Methods and systems for secure and reliable integration of healthcare practice operations, management, administrative and financial software systems | |
Schmidt et al. | RFC 8412: Software Inventory Message and Attributes (SWIMA) for PA-TNC | |
CN116707892A (en) | Terminal infected virus processing method, device and processing system | |
TW202416696A (en) | Electronic device and method for processing intelligence based on microservice and public cloud component | |
CN117499069A (en) | Network policy processing method and device, electronic equipment and storage medium | |
Fitzgerald-McKay | SACM C. Coffin Internet-Draft D. Haynes Intended status: Standards Track C. Schmidt Expires: March 16, 2017 The MITRE Corporation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |