nsacyber / event-forwarding-guidance Goto Github PK
View Code? Open in Web Editor NEWConfiguration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
License: Other
Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
License: Other
The report referenced in the README that sends one here:
https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm
...results in a 404 if you click on the "GET FILE" icon. Is there another location for this report? Not sure if this is version 2, but I was able to d/l a version of the file from this URL:
https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm
At least on Windows Server 2016, the name of the ETW Provider is Microsoft-Windows-CertificateServicesClient-Lifecycle-System
with GUID BC0669E1-A10D-4A78-834E-1CA3C806C93B
.
In https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events it is Microsoft-Windows-CertificateServicesClientLifecycle-System
for the EventSource
According to Microsoft documentation the event id = 95 is wrote to log when security permissions are corrupted or missing:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd338541(v=ws.10)
Level 3 gives you the warnings--level 2 will be very noisy. If you do level 2, it would require additional analytics after collection (i.e. at the WEC) to make use of them...
Thoughts?
I apologize if this is not the proper avenue, but it was the only one I could recognize. Is it listed anywhere what the baseline audit/advanced audit policy settings/GPOs that need to be in place in order for all these event IDs to exist in the first place (ex. Microsoft Recommended baseline, or secure audit policy settings, or perhaps audit policy settings specific to this repo. -Cliff, CISSP
Event with ID = 7045 from System log has incorrect source in section "Software and Service Installation" of "Recommended Events to Collect" document.
Correct source for this event is "Service Control Manager":
There is an error exists in "Windows Event Monitoring Guidance\Recommended Events to Collect" document (https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events), in table from "Certificate Services" section. Wrong event log specified for event id = 90. "Microsoft-Windows-CertificationAuthority" is not the event log - it is source of events from Application log.
I emailed [email protected] for more specific contact information Nov. 19th but have heard nothing back yet...
I have connectivity between sources and collector, and have had events come in for test subscriptions. My question/concern is how to most simply organize individual subscriptions, given the fact that event IDs are only unique to sources, and not logs. For example, is it the case that the particular event IDs recommended to be tracked in the Excel spreadsheet "are" unique for each log, or would I have to separate each subscription by event source to be sure I was not getting different events (one I care about, and others I don't want to forward) from the same log that happened to have the same event ID?
8002,8003,8004 are not described correctly in the RecommendedEvents files.
8002 - allowed to run
8003 - would be blocked if enforcement was on
8004 - was blocked
8006 Would be blocked if Enforcement On Microsoft-Windows-AppLocker/MSI and Script
8007 Was Blocked Warning Microsoft-Windows-AppLocker/MSI and Script
Right brackets in the XPath queries for the WiFi connection encryption status and WiFi connection authentication status events are in the wrong location. See commit 98da795 for the fix.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.