Write a script that analyzes the events in your windows System Security Log To make the lab easier export your security log entries to a CSV file which will be used by the script to perform the analysis The script should count the number of success and failure audits logged, provide the count associated with each, and the most common event ID I have never written in python before so where am i going wrong This is what i have so far import pandas as pd import os path usr tmp retval os getcwd() os chdir(r C Users DakotaDavila Desktop ) df pd read csv( SystemSecurityLogs csv ) df success df df 'Keywords' 'Audit Success' df failure df df 'Keywords' 'Audit Failure' total len(df success index) len(df failure index) err ID failure str(st mode(df failure 'Event ID' tolist())) err ID success str(st mode(df success 'Event ID' tolist())) print( Number of Audit Failures str(len(df failure index)) failures of str(total) entries t Most common Event ID err ID failure Number of Audit Successes str(len(df success index)) successes of str(total) entries t Most common Event ID err ID success) And here is the first part of the csv file Keywords Date and Time Source Event ID Task Category Audit Success 11 12 2018 9 55 Microsoft Windows Security Auditing 4672 Special Logon Special privileges assigned to new logon Subject Security ID SYSTEM Account Name SYSTEM Account Domain NT AUTHORITY Logon ID 0x3E7 Privileges SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege Audit Success 11 12 2018 9 55 Microsoft Windows Security Auditing 4624 Logon An account was successfully logged on Subject Security ID SYSTEM Account Name DAKOTAS LAPTOP$ Account Domain WORKGROUP Logon ID 0x3E7 Logon Information Logon Type 5 Restricted Admin Mode Virtual Account No Elevated Token Yes Impersonation Level Impersonation New Logon Security ID SYSTEM Account Name SYSTEM Account Domain NT AUTHORITY Logon ID 0x3E7 Linked Logon ID 0x0 Network Account Name Network Account Domain Logon GUID 00000000 0000 0000 0000 000000000000 Process Information Process ID 0x350 Process Name C Windows System32 services exe Network Information Workstation Name Source Network Address Source Port Detailed Authentication Information Logon Process Advapi Authentication Package Negotiate Transited Services Package Name (NTLM only) Key Length 0 This event is generated when a logon session is created It is generated on the computer that was accessed The subject fields indicate the account on the local system which requested the logon This is most commonly a service such as the Server service, or a local process such as Winlogon exe or Services exe The logon type field indicates the kind of logon that occurred The most common types are 2 (interactive) and 3 (network) The New Logon fields indicate the account for whom the new logon was created, i e the account that was logged on The network fields indicate where a remote logon request originated Workstation name is not always available and may be left blank in some cases The impersonation level field indicates the extent to which a process in the logon session can impersonate The authentication information fields provide detailed information about this specific logon request Logon GUID is a unique identifier that can be used to correlate this event with a KDC event Transited services indicate which intermediate services have participated in this logon request Package name indicates which sub protocol was used among the NTLM protocols Key length indicates the length of the generated session key This will be 0 if no session key was requested Audit Success 11 12 2018 9 51 Microsoft Windows Security Auditing 4672 Special Logon Special privileges assigned to new logon Subject Security ID SYSTEM Account Name SYSTEM Account Domain NT AUTHORITY Logon ID 0x3E7 Privileges SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege Audit Success 11 12 2018 9 51 Microsoft Windows Security Auditing 4624 Logon An account was successfully logged on Subject Security ID SYSTEM Account Name DAKOTAS LAPTOP$ Account Domain WORKGROUP Logon ID 0x3E7 Logon Information Logon Type 5 Restricted Admin Mode Virtual Account No Elevated Token Yes Impersonation Level Impersonation New Logon Security ID SYSTEM Account Name SYSTEM Account Domain NT AUTHORITY Logon ID 0x3E7 Linked Logon ID 0x0 Network Account Name Network Account Domain Logon GUID 00000000 0000 0000 0000 000000000000 Process Information Process ID 0x350 Process Name C Windows System32 services exe Network Information Workstation Name Source Network Address Source Port Detailed Authentication Information Logon Process Advapi Authentication Package Negotiate Transited Services Package Name (NTLM only) Key Length 0 This event is generated when a logon session is created It is generated on the computer that was accessed The subject fields indicate the account on the local system which requested the logon This is most commonly a service such as the Server service, or a local process such as Winlogon exe or Services exe The logon type field indicates the kind of logon that occurred The most common types are 2 (interactive) and 3 (network) The New Logon fields indicate the account for whom the new logon was created, i e the account that was logged on The network fields indicate where a remote logon request originated Workstation name is not always available and may be left blank in some cases The impersonation level field indicates the extent to which a process in the logon session can impersonate The authentication information fields provide detailed information about this specific logon request Logon GUID is a unique identifier that can be used to correlate this event with a KDC event Transited services indicate which intermediate services have participated in this logon request Package name indicates which sub protocol was used among the NTLM protocols Key length indicates the length of the generated session key This will be 0 if no session key was requested Audit Success 11 12 2018 9 48 Microsoft Windows Security Auditing 5379 User Account Management Credential Manager credentials were read Subject Security ID DAKOTAS LAPTOP Dakota Davila Account Name Dakota Davila Account Domain DAKOTAS LAPTOP Logon ID 0x3E493CA Read Operation Enumerate Credentials This event occurs when a user performs a read operation on stored credentials in Credential Manager Audit Success 11 12 2018 9 46 Microsoft Windows Security Auditing 4672 Special Logon Special privileges assigned to new logon Subject Security ID SYSTEM Account Name SYSTEM Account Domain NT AUTHORITY Logon ID 0x3E7 Privileges SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege Audit Success 11 12 2018 9 46 Microsoft Windows Security Auditing 4624 Logon An account was successfully logged on Subject Security ID SYSTEM Account Name DAKOTAS LAPTOP$ Account Domain WORKGROUP Logon ID 0x3E7 Logon Information Logon Type 5 Restricted Admin Mode Virtual Account No Elevated Token Yes Impersonation Level Impersonation New Logon Security ID SYSTEM Account Name SYSTEM Account Domain NT AUTHORITY Logon ID 0x3E7 Linked Logon ID 0x0 Network Account Name Network Account Domain Logon GUID 00000000 0000 0000 0000 000000000000 Process Information Process ID 0x350 Process Name C Windows System32 services exe Network Information Workstation Name Source Network Address Source Port Detailed Authentication Information Logon Process Advapi Authentication Package Negotiate Transited Services Package Name (NTLM only) Key Length 0 This event is generated when a logon session is created It is generated on the computer that was accessed The subject fields indicate the account on the local system which requested the logon This is most commonly a service such as the Server service, or a local process such as Winlogon exe or Services exe The logon type field indicates the kind of logon that occurred The most common types are 2 (interactive) and 3 (network) The New Logon fields indicate the account for whom the new logon was created, i e the account that was logged on The network fields indicate where a remote logon request originated Workstation name is not always available and may be left blank in some cases The impersonation level field indicates the extent to which a process in the logon session can impersonate The authentication information fields provide detailed information about this specific logon request Logon GUID is a unique identifier that can be used to correlate this event with a KDC event Transited services indicate which intermediate services have participated in this logon request Package name indicates which sub protocol was used among the NTLM protocols Key length indicates the length of the generated session key This will be 0 if no session key was requested Audit Success 11 12 2018 9 41 Microsoft Windows Security Auditing 4798 User Account Management A user's local group membership was enumerated Subject Security ID SYSTEM Account Name DAKOTAS LAPTOP$ Account Domain WORKGROUP Logon ID 0x3E7 User Security ID DAKOTAS LAPTOP Dakota Davila Account Name Dakota Davila Account Domain Dakotas Laptop Process Information Process ID 0x700 Process Name C Windows System32 svchost exe Audit Success 11 12 2018 9 41 Microsoft Windows Security Auditing 4798 User Account Management A user's local group membership was enumerated Subject Security ID SYSTEM Account Name DAKOTAS LAPTOP$ Account Domain WORKGROUP Logon ID 0x3E7 User Security ID Dakotas Laptop Administrator Account Name Administrator Account Domain Dakotas Laptop Process Information Process ID 0x700 Process Name C Windows System32 svchost exe

The Answer is in the image, click to view ...

Question: Write a script that analyzes the events in your windows System Security Log. To make the lab easier export your security log entries to a

Write a script that analyzes the events in your windows System Security Log. To make the lab easier export your security log entries to a CSV file which will be used by the script to perform the analysis. The script should count the number of success and failure audits logged, provide the count associated with each, and the most common event ID.

I have never written in python before so where am i going wrong? This is what i have so far:

import pandas as pd

import os

path = "/usr/tmp"

retval = os.getcwd()

os.chdir(r"C:\Users\DakotaDavila\Desktop")

df = pd.read_csv("SystemSecurityLogs.csv")

df_success = df[df['Keywords'] == 'Audit Success']

df_failure = df[df['Keywords'] == 'Audit Failure']

total = len(df_success.index) + len(df_failure.index)

err_ID_failure = str(st.mode(df_failure['Event ID'].tolist()))

err_ID_success = str(st.mode(df_success['Event ID'].tolist()))

print("Number of Audit Failures: " +str(len(df_failure.index))

+ " failures of " + str(total) + " entries \t"

+ "Most common Event ID: " + err_ID_failure

+ " Number of Audit Successes: " + str(len(df_success.index))

+ " successes of " + str(total) + " entries \t"

+ "Most common Event ID: " + err_ID_success)

And here is the first part of the csv file:

Keywords	Date and Time	Source	Event ID	Task Category
Audit Success	11/12/2018 9:55	Microsoft-Windows-Security-Auditing	4672	Special Logon	Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Audit Success	11/12/2018 9:55	Microsoft-Windows-Security-Auditing	4624	Logon	An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: DAKOTAS-LAPTOP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Audit Success	11/12/2018 9:51	Microsoft-Windows-Security-Auditing	4672	Special Logon	Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Audit Success	11/12/2018 9:51	Microsoft-Windows-Security-Auditing	4624	Logon	An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: DAKOTAS-LAPTOP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Audit Success	11/12/2018 9:48	Microsoft-Windows-Security-Auditing	5379	User Account Management	Credential Manager credentials were read. Subject: Security ID: DAKOTAS-LAPTOP\Dakota_Davila Account Name: Dakota_Davila Account Domain: DAKOTAS-LAPTOP Logon ID: 0x3E493CA Read Operation: Enumerate Credentials This event occurs when a user performs a read operation on stored credentials in Credential Manager.
Audit Success	11/12/2018 9:46	Microsoft-Windows-Security-Auditing	4672	Special Logon	Special privileges assigned to new logon. Subject: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege
Audit Success	11/12/2018 9:46	Microsoft-Windows-Security-Auditing	4624	Logon	An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: DAKOTAS-LAPTOP$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: SYSTEM Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x350 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Audit Success	11/12/2018 9:41	Microsoft-Windows-Security-Auditing	4798	User Account Management	A user's local group membership was enumerated. Subject: Security ID: SYSTEM Account Name: DAKOTAS-LAPTOP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: DAKOTAS-LAPTOP\Dakota_Davila Account Name: Dakota_Davila Account Domain: Dakotas-Laptop Process Information: Process ID: 0x700 Process Name: C:\Windows\System32\svchost.exe
Audit Success	11/12/2018 9:41	Microsoft-Windows-Security-Auditing	4798	User Account Management	A user's local group membership was enumerated. Subject: Security ID: SYSTEM Account Name: DAKOTAS-LAPTOP$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: Dakotas-Laptop\Administrator Account Name: Administrator Account Domain: Dakotas-Laptop Process Information: Process ID: 0x700 Process Name: C:\Windows\System32\svchost.exe

Step by Step Solution

There are 3 Steps involved in it

1 Expert Approved Answer

Step: 1 Unlock blur-text-image

Question Has Been Solved by an Expert!

Get step-by-step solutions from verified subject matter experts

Step: 2 Unlock

Step: 3 Unlock

Students Have Also Explored These Related Databases Questions!

IS 3513 Information Assurance and Security Lab #2 100 Points In the security realm Windows operating systems are not the only platform of choice. Unix operating systems are usually the platform of...

In the security realm Windows operating systems are not the only platform of choice. Unix operating systems are usually the platform of choice by security practitioners for a wide range of tasks....

Language: PowerShell. I am using Windows so PowerShell came with is. I need guidance how to do steps 2, 3, 4. I have no background of PowerShell and lost on how to do this. Objective: To become...

Write a script that analyzes the events in your windows System Security Log. Export your security log entries to a CSV file which will be used by the script to perform the analysis. The script should...

Write a script that analyzes the events in your security log: What am I doing wrong? I've never written in python before. I saved my System Security logs as a csv file at...

ICTN4310 LAB 03 - DATA ACQUISITION Background. Whether you are formatting an internal drive, external drive, USB flash drive, or SD card, Windows gives you the choice of using three different file...

think about what procedural changes would have the biggest positive impact, without being excessively costly for our lab members at every level (including undergrads!). Reference: the Lab Data Check...

please I need this completed asap. If you need the username and password to log-in let me know \fInstructions City of Bingham Computerized Cumulative Problem For use with McGraw-Hill/Irwin Accounting...

CHA P TER 9 Understanding Software: A Primer for Managers 1. INTRODUCTION L E A R N I N G O B J E C T I V E S 1. Recognize the importance of software and its implications for the rm and strategic...

I need Chapter 5 and Chapter 6 solutions to the "City of Bingham" continuous accounting problem from the 16e "Accounting for governmental & nonprofit entities" book. Instructions are posted...

A spin bike is an indoor bike that is designed to duplicate the feeling of regular road cycling. A typical spin bike has a very heavy flywheel. A friction pad or other brake provides damping that...

Consider the unity feedback system shown in Figure E10.21. Design the controller gain, K, such that the maximum value of the output y(t) in response to a unit step disturbance T(i(s) = l/s is less...

? _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ r i s k i s u n i q u e t o a s p e c i f i c f i r m , a n d t h i s r i s k _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ r e d u c e d b y d i v e r s i f...

Seved Help 14 Wisconsin Snowmobile Corp. is considering a switch to level production Cost efficiencies would occur under level production, and aftertax costs would decline by $31,500, but inventory...

Why is the System Build Process an iterative process?

What phase normally comes directly after the System Build process in a Project?

Name two other algorithms available in SSAS Data Mining other than Decision Trees.