Windows logging settings all-in-one for better threat detection
Windows default auditing will give you only 10–20% sigma rule detection. Those of you who are not aware of what is sigma is, it is community driven open source SIEM detection rules that is used against your event logs to find malicious activity. There are so many SIEM vendors in the market. Each of them having their own detection rule set. Splunk rules will not work in IBM (vice-versa). So security professionals throught why not create detection rules in a standard format that can be shared, used against any SIEM platform also against the event logs. Thats why sigma kicks in.
Now sigma requires event logs when you talk about threat detection during incident response. And if the event logs does not contain any fruitful informations then sigma will not detect malicious activity effectively. So you now have understand we need to configure our logging settings in such a way so that it can have everything.
Morover default log size settings is very less which is 20MB I guess for most of the log channel provider. As a result it is very obvious that old events will be overwritten/replaced by the new events. So if something important old logs gets replaced by the new logs then you will not be able to detect malicous things. Also some powershell obfuscated code will reveal its actual base64 code in the events logs after execution. If proper powershell logging is not there then you will not be able to catch those.
From the above github repo, you will find windows logging best approach technique. Just run the script. This script will automatically enable required logging settings along with proper logging size for better threat detection. Its written by Yamato security professionals.
Caution: Before run the script I would suggest you to go through the script. Change as per your requirement before deploying it in production.
Thanks. I hope this blog will help you to set up for better logging. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube:
