-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathwinlogbeat.yml
246 lines (246 loc) · 27.3 KB
/
winlogbeat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
# __ __.__ .___
#/ \ / \__| ____ __| _/______ _ ________
#\ \/\/ / |/ \ / __ |/ _ \ \/ \/ / ___/
# \ /| | | \/ /_/ ( <_> ) /\___ \
# \__/\ / |__|___| /\____ |\____/ \/\_//____ >
# \/ \/ \/ \/
# _________ .__ __ _____ .__ __ .__
# / _____/ ____ ____ __ _________|__|/ |_ ___.__. / \ ____ ____ |__|/ |_ ___________|__| ____ ____
# \_____ \_/ __ \_/ ___\| | \_ __ \ \ __< | |/ \ / \ / _ \ / \| \ __\/ _ \_ __ \ |/ \ / ___\
# / \ ___/\ \___| | /| | \/ || | \___ / Y ( <_> ) | \ || | ( <_> ) | \/ | | \/ /_/ >
#/_______ /\___ >\___ >____/ |__| |__||__| / ____\____|__ /\____/|___| /__||__| \____/|__| |__|___| /\___ /
# \/ \/ \/ \/ \/ \/ \//_____/
#__________ __ __________ __ .__ ___________ __ ___________ .___.__
#\______ \ ____ _______/ |\______ \____________ _____/ |_|__| ____ ____ \_ _____/__ __ ____ _____/ |\_ _____/____________ _ _______ _______ __| _/|__| ____ ____
# | | _// __ \ / ___/\ __\ ___/\_ __ \__ \ _/ ___\ __\ |/ ___\/ __ \ | __)_\ \/ // __ \ / \ __\ __)/ _ \_ __ \ \/ \/ /\__ \\_ __ \/ __ | | |/ \ / ___\
# | | \ ___/ \___ \ | | | | | | \// __ \\ \___| | | \ \__\ ___/ | \\ /\ ___/| | \ | | \( <_> ) | \/\ / / __ \| | \/ /_/ | | | | \/ /_/ >
# |______ /\___ >____ > |__| |____| |__| (____ /\___ >__| |__|\___ >___ >_______ / \_/ \___ >___| /__| \___ / \____/|__| \/\_/ (____ /__| \____ | |__|___| /\___ /
# \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \/ \//_____/
#
# Inspired by florian roth auditD config example for linux ( https://github.com/Neo23x0/auditd) I made an similar
# effort for the windows platform. Please read the link for nsacyber carefully as addionaly configuration
# is needed to ensure full benefit of this configuration.
#
# Some eventid's may not be generated unless specific non standard polices are enabled
# Some log data sources are not present on all versions of windows
#
# some log sources may only be relevant for specific types of servers
#
# addtionally this monitoring can provide a forensic and incident readiness
#
# config of sysmon and installation of sysmon has to happen seperately from this config
#
# setup in accordance with and inspired by https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events
#
# In relation to DK "Center for Cybersikkerhed" guidance this setup provides input to "Andre logs/Other logs" section
# (In Danish) https://cfcs.dk/globalassets/cfcs/dokumenter/vejledninger/cfcs-vejledning-logning.pdf
# https://github.com/TonyPhipps/SIEM/blob/master/Notable-Event-IDs.md
winlogbeat.event_logs:
- name: Application
event_id: 1518, 1511, 1000, 1001, 1002, 95, 1022, 1033
# Event_id: 1518 Create Profile failed
# Event_id: 1511 Temp profile Logon
# Event_id: 1000 App crash
# Event_id: 1001 WER Windows Error Reporting
# Event_id: 1002 Application Hang
# Event_id: 95 CA permissions Corrupted or Missing
# Event_id: 1022 New MSI file installed
# Event_id: 1033 New MSI file installed
- name: Setup
event_id: 2, 1009
# Event_id: 2 Update package installed
# Event_id: 1009 Hotpatching failed
- name: Security # because there is more than 22 individual eventid's i have to do it this way
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: "1100" # 1100: The event logging service has shut down https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100
- equals.winlog.event_id: "1102" # 1102: The audit log was cleared 1102 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102
- equals.winlog.event_id: "4740" # 4740: A user account was locked out https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740
- equals.winlog.event_id: "4616" # 4616: The system time was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616
- equals.winlog.event_id: "4688" # 4688: A new process has been created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688 dont forget to enable commandline logging on this one!!
- equals.winlog.event_id: "4648" # 4648: A logon was attempted using explicit credentials https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648
- equals.winlog.event_id: "4781" # 4781: The name of an account was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781
- equals.winlog.event_id: "4733" # 4733: A member was removed from a security-enabled local group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733
- equals.winlog.event_id: "4776" # 4776: The domain controller attempted to validate the credentials for an account https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776
- equals.winlog.event_id: "5376" # 5376: Credential Manager credentials were backed up https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5376
- equals.winlog.event_id: "5377" # 5377: Credential Manager credentials were restored from a backup https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5377
- equals.winlog.event_id: "4625" # 4625: An account failed to log on https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
- equals.winlog.event_id: "4634" # 4634: An account was logged off https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634
- equals.winlog.event_id: "4663" # 4663: An attempt was made to access an object https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663
- equals.winlog.event_id: "4672" # 4672: Special privileges assigned to new logon https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672
- equals.winlog.event_id: "4720" # 4720: A user account was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720
- equals.winlog.event_id: "4722" # 4722: A user account was enabled https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722
- equals.winlog.event_id: "4793" # 4793: The Password Policy Checking API was called https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793
- equals.winlog.event_id: "4731" # 4731: A security-enabled local group was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731
- equals.winlog.event_id: "4735" # 4735: A security-enabled local group was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735
- equals.winlog.event_id: "4766" # 4766: An attempt to add SID History to an account failed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766
- equals.winlog.event_id: "4765" # 4765: SID History was added to an account https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765
- equals.winlog.event_id: "4624" # 4624: An account was successfully logged on https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624
- equals.winlog.event_id: "4726" # 4726: A user account was deleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726
- equals.winlog.event_id: "4725" # 4725: A user account was disabled https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725
- equals.winlog.event_id: "4767" # 4767: A user account was unlocked https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767
- equals.winlog.event_id: "4728" # 4728: A member was added to a security-enabled global group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728
- equals.winlog.event_id: "4732" # 4732: A member was added to a security-enabled local group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732
- equals.winlog.event_id: "4756" # 4756: A member was added to a security-enabled universal group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756
- equals.winlog.event_id: "4704" # 4704: A user right was assigned https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704
- equals.winlog.event_id: "4886" # 4886: Certificate Services received a certificate request https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886
- equals.winlog.event_id: "4890" # 4890: The certificate manager settings for Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890
- equals.winlog.event_id: "4874" # 4874: One or more certificate request attributes changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874
- equals.winlog.event_id: "4873" # 4873: A certificate request extension changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873
- equals.winlog.event_id: "4870" # 4870: Certificate Services revoked a certificate https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870
- equals.winlog.event_id: "4887" # 4887: Certificate Services approved a certificate request and issued a certificate https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887
- equals.winlog.event_id: "4885" # 4885: The audit filter for Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885
- equals.winlog.event_id: "4891" # 4891: A configuration entry changed in Certificate Services https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891
- equals.winlog.event_id: "4888" # 4888: Certificate Services denied a certificate request https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888
- equals.winlog.event_id: "4898" # 4898: Certificate Services loaded a template https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898
- equals.winlog.event_id: "4882" # 4882: The security permissions for Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882
- equals.winlog.event_id: "4892" # 4892: A property of Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892
- equals.winlog.event_id: "4880" # 4880: Certificate Services started https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880
- equals.winlog.event_id: "4881" # 4881: Certificate Services stopped https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881
- equals.winlog.event_id: "4900" # 4900: Certificate Services template security was updated https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4900
- equals.winlog.event_id: "4899" # 4899: A Certificate Services template was updated https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4899
- equals.winlog.event_id: "4896" # 4896: One or more rows have been deleted from the certificate database https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896
- equals.winlog.event_id: "4714" # 4714: Encrypted data recovery policy was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4714
- equals.winlog.event_id: "4713" # 4713: Kerberos policy was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713
- equals.winlog.event_id: "4769" # 4769: A Kerberos service ticket was requested https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769
- equals.winlog.event_id: "6273" # 6273: Network Policy Server denied access to a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6273
- equals.winlog.event_id: "6275" # 6275: Network Policy Server discarded the accounting request for a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6275
- equals.winlog.event_id: "6274" # 6274: Network Policy Server discarded the request for a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6274
- equals.winlog.event_id: "6272" # 6272: Network Policy Server granted access to a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6272
- equals.winlog.event_id: "6278" # 6278: Network Policy Server granted full access to a user because the host met the defined health policy https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6278
- equals.winlog.event_id: "6277" # 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6277
- equals.winlog.event_id: "6279" # 6279: Network Policy Server locked the user account due to repeated failed authentication attempts https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6279
- equals.winlog.event_id: "6276" # 6276: Network Policy Server quarantined a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6276
- equals.winlog.event_id: "6280" # 6280: Network Policy Server unlocked the user account https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6280
- equals.winlog.event_id: "5140" # 5140: A network share object was accessed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140
- equals.winlog.event_id: "5145" # 5145: A network share object was checked to see whether client can be granted desired access https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145
- equals.winlog.event_id: "5144" # 5144: A network share object was deleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5144
- equals.winlog.event_id: "4706" # 4706: A new trust was created to a domain https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706
- equals.winlog.event_id: "4897" # 4897: Role separation enabled https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897
- equals.winlog.event_id: "4719" # 4719: System audit policy was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719
- equals.winlog.event_id: "4716" # 4716: Trusted domain information was modified https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716
- equals.winlog.event_id: "4779" # 4779: A session was disconnected from a Window Station https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779
- equals.winlog.event_id: "4778" # 4778: A session was reconnected to a Window Station https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778
- equals.winlog.event_id: "5632" # 5632: A request was made to authenticate to a wireless network https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5632
- equals.winlog.event_id: "5137" # 5137: A directory service object was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5137
- equals.winlog.event_id: "5141" # 5141: A directory service object was deleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5141
- equals.winlog.event_id: "5136" # 5136: A directory service object was modified https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136
- equals.winlog.event_id: "5139" # 5139: A directory service object was moved https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5139
- equals.winlog.event_id: "5138" # 5138: A directory service object was undeleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5138
- equals.winlog.event_id: "5038" # 5038: integrity determined that the image hash of a file is not valid https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5038
- equals.winlog.event_id: "6281" # 6281: Code Integrity determined that the page hashes of an image file are not valid https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6281
- equals.winlog.event_id: "4657" # 4657: A registry value was modified https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657
- equals.winlog.event_id: "4782" # 4782: The password hash an account was accessed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782
- equals.winlog.event_id: "4698" # 4698: A scheduled task was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698
- equals.winlog.event_id: "4699" # 4699: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4699
- equals.winlog.event_id: "4702" # 4702: a scheduled task was updated https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702
# 4702 added, based on Fireeye solarwinds hack report. ref https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html
#
- name: System
event_id: 7022, 7023, 7024, 7026, 7031, 7032, 7034, 6, 7045, 7000, 19, 1, 13, 12
- name: Microsoft-Windows-TerminalServices-RDPClient/Operational # https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics
- name: Microsoft-Windows-TerminalServices-ConnectionManager/Operational # Added https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational # see above link
# event_id: 1149 User authentication succeeded
- name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational # Added https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics
# event_id: 21 Remote Desktop Services: Session login succeeded
# event_id: 22 Remote Desktop Services: Shell start notification received
# event_id: 131 accepted new TCP connection
# event_id: 140 Connection failed Bad username or password
- name: Microsoft-Windows-Application-Experience/Program-Inventory # Added https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics
event_id: 903, 904, 907, 908, 800, 905, 906
- name: Microsoft-Windows-TaskScheduler/Operational
event_id: 106, 107,108, 110, 140, 141, 142, 200 # added 107, 108, 110, 140 based on this https://www.cyprich.com/2017/03/29/common-task-scheduler-event-ids/
- name: Microsoft-Windows-DNS-Client/Operational
event_id: 3008, 3020
- name: Microsoft-Windows-DNSServer/Analytical
event_id: 256, 257
- name: Microsoft-Windows-DNS-Client/Operational
event_id: 3008
- name: Microsoft-Windows-MPRMSG # not present on all versions of windows
event_id: 20250, 20274, 20275
- name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
- name: Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
event_id: 1006, 1004, 1007, 1003, 1001, 1002
- name: Microsoft-Windows-Bits-Client/Operational
- name: Microsoft-Windows-Ntfs/Operational
- name: Microsoft-Windows-Kernel-ShimEngine/Operational
- name: Microsoft-Windows-Kernel-General # not present in win 10
event_id: 13, 12
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_id: 2004, 2005, 2006, 2009, 2033
- name: Microsoft-Windows-Kernel-PnP/Device Configuration # USB drive usage
event_id: 400, 410
# event_id: 2004 This event is logged when a rule has been added to the Windows Firewall exception list
# event_id: 2005 This event is logged when a rule has been modified in the Windows Firewall exception list
# event_id: 2006 A rule has been deleted in the Windows Firewall exception list
# event_id: 2009 The Windows Firewall service failed to load Group Policy
# event_id: 2033 All rules have been deleted from the Windows Firewall configuration on this computer
- name: Microsoft-Windows-SMBServer/Security
- name: Microsoft-Windows-SmbClient/Security
# event_id: 31001 failed login to destination
- name: Microsoft-Windows-Windows Defender/Operational
- name: Microsoft-Windows-AppLocker/Packaged app-Deployment
event_id: 8023, 8020, 8025
- name: Microsoft-Windows-AppLocker/Packaged app-Execution
event_id: 8022
- name: Microsoft-Windows-AppLocker/EXE and DLL # usefull for collecting data prior to enforcing any applocker rules, implementing GPO that limit execution from temp folder etc.
event_id: 8002, 8003, 8004
- name: Microsoft-Windows-AppLocker/MSI and Script # usefull for collecting data prior to enforcing any block rules or implementing GPO that limits use of this feature
event_id: 8005, 8006, 8007
- name: Microsoft-Windows-WinRM/Operational
- name: Microsoft-Windows-WMI-Activity/Operational
- name: Microsoft-Windows-LSA/Operational
event_id: 300
- name: Windows PowerShell # https://resources.infosecinstitute.com/topic/powershell-remoting-artifacts-part-1/ https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/
event_id: 169, 800
- name: Microsoft-Windows-PrintService/Operational
event_id: 307
- name: Microsoft-Windows-PrintService/Admin
event_id: 808, 31017, 326 # https://msandbu.org/printnightmare-cve-2021-1675/
- name: Microsoft-Windows-PowerShell/Operational # https://resources.infosecinstitute.com/topic/powershell-remoting-artifacts-part-1/ https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/
event_id: 4103, 4104, 4105, 4106, 40961, 40962, 24577, 8193, 8194, 8197, 53504
- name: Microsoft-Windows-PowerShell/Analytic # must be enabled
event_id: 32850, 32867, 32868
- name: Microsoft-Windows-SoftwareRestrictionPolicies
event_id: 865, 866, 867, 868, 882
- name: Microsoft-Windows-Sysmon/Operational # recommended config https://github.com/Neo23x0/sysmon-config
- name: User32
event_id: 1074 # https://kb.eventtracker.com/evtpass/evtpages/EventId_1074_User32_46330.asp
- name: Microsoft-Windows-WindowsUpdateClient/Operational
event_id: 20, 24, 25, 31, 34, 35
- name: Microsoft-Windows-Kernel-PnP/Device Configuration
event_id: 400, 410
- name: Microsoft-Windows-CodeIntegrity/Operational
event_id: 3001, 3002, 3003, 3004, 3010, 3023
- name: Microsoft-Windows-WLAN-AutoConfig/Operational
event_id: 8003, 10000, 10001, 8000, 8011, 8001, 11000, 11001, 11002, 12011, 12012, 12013, 8002, 11004, 11005, 11010, 11006
- name: Microsoft-Windows-Partition/Diagnostic #present win10 1709+ logs USB/drive serials ref https://df-stream.com/2018/05/partition-diagnostic-event-log-and-usb-device-tracking-p1/
event_id: 1006
- name: Microsoft-Windows-PrintService/Operational # to detect CVE 2021-1675 attempts failed and successfull https://twitter.com/MalwareJake/status/1410421445608476679# current config set for humio cloud
- name: Microsoft-Windows-CAPI2/Operational
event_id: 11, 70, 90
- name: Microsoft-Windows-GroupPolicy/Operational
# event_id: 1126, 1129, 112 # related to GPO failing
- name: Microsoft-Windows-AAD/Operational # Azure AD related log
- name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController # must be enabled DC specific
- name: Microsoft-Windows-Authentication/ProtectedUser-Client # must be enabled
- name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController # must be enabled DC specific
- name: Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController # must be enabled DC specific
- name: Microsoft-Windows-DriverFrameworks-UserMode/Operational # drivers loaded
- name: Microsoft-Windows-NTLM/Operational
event_id: 8001, 8002, 8003, 8004 # usefull for detemining where ntml is used to disable it
output.elasticsearch:
hosts: 'https://cloud.humio.com:443/api/v1/ingest/elastic-bulk'
password: YOUR INGEST TOKEN (repo specific)
#### if using Humio Commnunity edition used this line only 1 hosts: config is valid ###
# hosts: https://cloud.community.humio.com/
# password: YOUR INGEST TOKEN (repo specific)
compression_level: 5
bulk_max_size: 200
worker: 1
protocol: https
# feature flag needs to be enabled on winlogbeat 8.1+
allow_older_versions: true
# feature flag needs to be disabled on winlogbeat 8.0+
setup.ilm.enabled: false