Last active
November 28, 2023 07:02
-
-
Save eddiez9/c8ba854a4d36a4ffebe21167ff6e06a8 to your computer and use it in GitHub Desktop.
Windows sidecar config for: https://projectblack.io/blog/automated-graylog-setup-using-puppet-2023/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Needed for Graylog | |
| fields_under_root: true | |
| fields.collector_node_id: ${sidecar.nodeName} | |
| fields.gl2_source_collector: ${sidecar.nodeId} | |
| output.logstash: | |
| hosts: ["192.168.1.13:5044"] | |
| path: | |
| data: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar\\cache\\winlogbeat"}\data | |
| logs: ${sidecar.spoolDir!"C:\\Program Files\\Graylog\\sidecar"}\logs | |
| tags: | |
| - windows | |
| winlogbeat.event_logs: | |
| - name: Application | |
| event_id: 1518, 1511, 1000, 1001, 1002, 95, 1022, 1033 | |
| # Event_id: 1518 Create Profile failed | |
| # Event_id: 1511 Temp profile Logon | |
| # Event_id: 1000 App crash | |
| # Event_id: 1001 WER Windows Error Reporting | |
| # Event_id: 1002 Application Hang | |
| # Event_id: 95 CA permissions Corrupted or Missing | |
| # Event_id: 1022 New MSI file installed | |
| # Event_id: 1033 New MSI file installed | |
| - name: Setup | |
| event_id: 2, 1009 | |
| # Event_id: 2 Update package installed | |
| # Event_id: 1009 Hotpatching failed | |
| - name: Security # because there is more than 22 individual eventid's i have to do it this way | |
| processors: | |
| - drop_event.when.not.or: | |
| - contains.winlog.event_id: "1100" # 1100: The event logging service has shut down https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1100 | |
| - contains.winlog.event_id: "1102" # 1102: The audit log was cleared 1102 https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=1102 | |
| - contains.winlog.event_id: "4740" # 4740: A user account was locked out https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740 | |
| - contains.winlog.event_id: "4616" # 4616: The system time was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616 | |
| - contains.winlog.event_id: "4688" # 4688: A new process has been created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4688 dont forget to enable commandline logging on this one!! | |
| - contains.winlog.event_id: "4648" # 4648: A logon was attempted using explicit credentials https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4648 | |
| - contains.winlog.event_id: "4781" # 4781: The name of an account was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4781 | |
| - contains.winlog.event_id: "4733" # 4733: A member was removed from a security-enabled local group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4733 | |
| - contains.winlog.event_id: "4776" # 4776: The domain controller attempted to validate the credentials for an account https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776 | |
| - contains.winlog.event_id: "5376" # 5376: Credential Manager credentials were backed up https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5376 | |
| - contains.winlog.event_id: "5377" # 5377: Credential Manager credentials were restored from a backup https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5377 | |
| - contains.winlog.event_id: "4625" # 4625: An account failed to log on https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625 | |
| - contains.winlog.event_id: "4634" # 4634: An account was logged off https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4634 | |
| - contains.winlog.event_id: "4663" # 4663: An attempt was made to access an object https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663 | |
| - contains.winlog.event_id: "4672" # 4672: Special privileges assigned to new logon https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4672 | |
| - contains.winlog.event_id: "4720" # 4720: A user account was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4720 | |
| - contains.winlog.event_id: "4722" # 4722: A user account was enabled https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4722 | |
| - contains.winlog.event_id: "4793" # 4793: The Password Policy Checking API was called https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4793 | |
| - contains.winlog.event_id: "4731" # 4731: A security-enabled local group was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4731 | |
| - contains.winlog.event_id: "4735" # 4735: A security-enabled local group was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4735 | |
| - contains.winlog.event_id: "4766" # 4766: An attempt to add SID History to an account failed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4766 | |
| - contains.winlog.event_id: "4765" # 4765: SID History was added to an account https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4765 | |
| - contains.winlog.event_id: "4624" # 4624: An account was successfully logged on https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624 | |
| - contains.winlog.event_id: "4726" # 4726: A user account was deleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4726 | |
| - contains.winlog.event_id: "4725" # 4725: A user account was disabled https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4725 | |
| - contains.winlog.event_id: "4767" # 4767: A user account was unlocked https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4767 | |
| - contains.winlog.event_id: "4728" # 4728: A member was added to a security-enabled global group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4728 | |
| - contains.winlog.event_id: "4732" # 4732: A member was added to a security-enabled local group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4732 | |
| - contains.winlog.event_id: "4756" # 4756: A member was added to a security-enabled universal group https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4756 | |
| - contains.winlog.event_id: "4704" # 4704: A user right was assigned https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4704 | |
| - contains.winlog.event_id: "4886" # 4886: Certificate Services received a certificate request https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4886 | |
| - contains.winlog.event_id: "4890" # 4890: The certificate manager settings for Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890 | |
| - contains.winlog.event_id: "4874" # 4874: One or more certificate request attributes changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4874 | |
| - contains.winlog.event_id: "4873" # 4873: A certificate request extension changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4873 | |
| - contains.winlog.event_id: "4870" # 4870: Certificate Services revoked a certificate https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4870 | |
| - contains.winlog.event_id: "4887" # 4887: Certificate Services approved a certificate request and issued a certificate https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4887 | |
| - contains.winlog.event_id: "4885" # 4885: The audit filter for Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4885 | |
| - contains.winlog.event_id: "4891" # 4891: A configuration entry changed in Certificate Services https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4891 | |
| - contains.winlog.event_id: "4888" # 4888: Certificate Services denied a certificate request https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4888 | |
| - contains.winlog.event_id: "4898" # 4898: Certificate Services loaded a template https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4898 | |
| - contains.winlog.event_id: "4882" # 4882: The security permissions for Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4882 | |
| - contains.winlog.event_id: "4892" # 4892: A property of Certificate Services changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4892 | |
| - contains.winlog.event_id: "4880" # 4880: Certificate Services started https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4880 | |
| - contains.winlog.event_id: "4881" # 4881: Certificate Services stopped https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4881 | |
| - contains.winlog.event_id: "4900" # 4900: Certificate Services template security was updated https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4900 | |
| - contains.winlog.event_id: "4899" # 4899: A Certificate Services template was updated https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4899 | |
| - contains.winlog.event_id: "4896" # 4896: One or more rows have been deleted from the certificate database https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4896 | |
| - contains.winlog.event_id: "4714" # 4714: Encrypted data recovery policy was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4714 | |
| - contains.winlog.event_id: "4713" # 4713: Kerberos policy was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4713 | |
| - contains.winlog.event_id: "4769" # 4769: A Kerberos service ticket was requested https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769 | |
| - contains.winlog.event_id: "6273" # 6273: Network Policy Server denied access to a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6273 | |
| - contains.winlog.event_id: "6275" # 6275: Network Policy Server discarded the accounting request for a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6275 | |
| - contains.winlog.event_id: "6274" # 6274: Network Policy Server discarded the request for a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6274 | |
| - contains.winlog.event_id: "6272" # 6272: Network Policy Server granted access to a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6272 | |
| - contains.winlog.event_id: "6278" # 6278: Network Policy Server granted full access to a user because the host met the defined health policy https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6278 | |
| - contains.winlog.event_id: "6277" # 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6277 | |
| - contains.winlog.event_id: "6279" # 6279: Network Policy Server locked the user account due to repeated failed authentication attempts https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6279 | |
| - contains.winlog.event_id: "6276" # 6276: Network Policy Server quarantined a user https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6276 | |
| - contains.winlog.event_id: "6280" # 6280: Network Policy Server unlocked the user account https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6280 | |
| - contains.winlog.event_id: "5140" # 5140: A network share object was accessed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5140 | |
| - contains.winlog.event_id: "5145" # 5145: A network share object was checked to see whether client can be granted desired access https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5145 | |
| - contains.winlog.event_id: "5144" # 5144: A network share object was deleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5144 | |
| - contains.winlog.event_id: "4706" # 4706: A new trust was created to a domain https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4706 | |
| - contains.winlog.event_id: "4897" # 4897: Role separation enabled https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4897 | |
| - contains.winlog.event_id: "4719" # 4719: System audit policy was changed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4719 | |
| - contains.winlog.event_id: "4716" # 4716: Trusted domain information was modified https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4716 | |
| - contains.winlog.event_id: "4779" # 4779: A session was disconnected from a Window Station https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4779 | |
| - contains.winlog.event_id: "4778" # 4778: A session was reconnected to a Window Station https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4778 | |
| - contains.winlog.event_id: "5632" # 5632: A request was made to authenticate to a wireless network https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5632 | |
| - contains.winlog.event_id: "5137" # 5137: A directory service object was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5137 | |
| - contains.winlog.event_id: "5141" # 5141: A directory service object was deleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5141 | |
| - contains.winlog.event_id: "5136" # 5136: A directory service object was modified https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5136 | |
| - contains.winlog.event_id: "5139" # 5139: A directory service object was moved https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5139 | |
| - contains.winlog.event_id: "5138" # 5138: A directory service object was undeleted https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5138 | |
| - contains.winlog.event_id: "5038" # 5038: integrity determined that the image hash of a file is not valid https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5038 | |
| - contains.winlog.event_id: "6281" # 6281: Code Integrity determined that the page hashes of an image file are not valid https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6281 | |
| - contains.winlog.event_id: "4657" # 4657: A registry value was modified https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4657 | |
| - contains.winlog.event_id: "4782" # 4782: The password hash an account was accessed https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4782 | |
| - contains.winlog.event_id: "4698" # 4698: A scheduled task was created https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4698 | |
| - contains.winlog.event_id: "4699" # 4699: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4699 | |
| - contains.winlog.event_id: "4702" # 4702: a scheduled task was updated https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4702 | |
| # 4702 added, based on Fireeye solarwinds hack report. ref https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html | |
| # | |
| - name: System | |
| event_id: 7022, 7023, 7024, 7026, 7031, 7032, 7034, 6, 7045, 7000, 19, 1, 13, 12 | |
| - name: Microsoft-Windows-TerminalServices-RDPClient/Operational # https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics | |
| - name: Microsoft-Windows-TerminalServices-ConnectionManager/Operational # Added https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics | |
| - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational # see above link | |
| # event_id: 1149 User authentication succeeded | |
| - name: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational # Added https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics | |
| # event_id: 21 Remote Desktop Services: Session login succeeded | |
| # event_id: 22 Remote Desktop Services: Shell start notification received | |
| # event_id: 131 accepted new TCP connection | |
| # event_id: 140 Connection failed Bad username or password | |
| - name: Microsoft-Windows-Application-Experience/Program-Inventory # Added https://www.security-hive.com/post/rdp-forensics-logging-detection-and-forensics | |
| event_id: 903, 904, 907, 908, 800, 905, 906 | |
| - name: Microsoft-Windows-TaskScheduler/Operational | |
| event_id: 106, 107,108, 110, 140, 141, 142, 200 # added 107, 108, 110, 140 based on this https://www.cyprich.com/2017/03/29/common-task-scheduler-event-ids/ | |
| - name: Microsoft-Windows-DNS-Client/Operational | |
| event_id: 3008, 3020 | |
| - name: Microsoft-Windows-DNSServer/Analytical | |
| event_id: 256, 257 | |
| - name: Microsoft-Windows-MPRMSG # not present on all versions of windows | |
| event_id: 20250, 20274, 20275 | |
| - name: Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational | |
| - name: Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational | |
| event_id: 1006, 1004, 1007, 1003, 1001, 1002 | |
| - name: Microsoft-Windows-Bits-Client/Operational | |
| - name: Microsoft-Windows-Ntfs/Operational | |
| - name: Microsoft-Windows-Kernel-ShimEngine/Operational | |
| - name: Microsoft-Windows-Kernel-General # not present in win 10 | |
| event_id: 13, 12 | |
| - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | |
| event_id: 2004, 2005, 2006, 2009, 2033 | |
| - name: Microsoft-Windows-Kernel-PnP/Device Configuration # USB drive usage | |
| event_id: 400, 410 | |
| # event_id: 2004 This event is logged when a rule has been added to the Windows Firewall exception list | |
| # event_id: 2005 This event is logged when a rule has been modified in the Windows Firewall exception list | |
| # event_id: 2006 A rule has been deleted in the Windows Firewall exception list | |
| # event_id: 2009 The Windows Firewall service failed to load Group Policy | |
| # event_id: 2033 All rules have been deleted from the Windows Firewall configuration on this computer | |
| - name: Microsoft-Windows-SMBServer/Security | |
| - name: Microsoft-Windows-SmbClient/Security | |
| # event_id: 31001 failed login to destination | |
| - name: Microsoft-Windows-Windows Defender/Operational | |
| - name: Microsoft-Windows-AppLocker/Packaged app-Deployment | |
| event_id: 8023, 8020, 8025 | |
| - name: Microsoft-Windows-AppLocker/Packaged app-Execution | |
| event_id: 8022 | |
| - name: Microsoft-Windows-AppLocker/EXE and DLL # usefull for collecting data prior to enforcing any applocker rules, implementing GPO that limit execution from temp folder etc. | |
| event_id: 8002, 8003, 8004 | |
| - name: Microsoft-Windows-AppLocker/MSI and Script # usefull for collecting data prior to enforcing any block rules or implementing GPO that limits use of this feature | |
| event_id: 8005, 8006, 8007 | |
| - name: Microsoft-Windows-WinRM/Operational | |
| - name: Microsoft-Windows-WMI-Activity/Operational | |
| - name: Microsoft-Windows-LSA/Operational | |
| event_id: 300 | |
| - name: Windows PowerShell # https://resources.infosecinstitute.com/topic/powershell-remoting-artifacts-part-1/ https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/ | |
| event_id: 169, 800 | |
| - name: Microsoft-Windows-PrintService/Admin | |
| event_id: 808, 31017, 326 # https://msandbu.org/printnightmare-cve-2021-1675/ | |
| - name: Microsoft-Windows-PowerShell/Operational # https://resources.infosecinstitute.com/topic/powershell-remoting-artifacts-part-1/ https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/ | |
| event_id: 4103, 4104, 4105, 4106, 40961, 40962, 24577, 8193, 8194, 8197, 53504 | |
| - name: Microsoft-Windows-PowerShell/Analytic # must be enabled | |
| event_id: 32850, 32867, 32868 | |
| - name: Microsoft-Windows-SoftwareRestrictionPolicies | |
| event_id: 865, 866, 867, 868, 882 | |
| - name: Microsoft-Windows-Sysmon/Operational # recommended config https://github.com/Neo23x0/sysmon-config | |
| - name: User32 | |
| event_id: 1074 # https://kb.eventtracker.com/evtpass/evtpages/EventId_1074_User32_46330.asp | |
| - name: Microsoft-Windows-WindowsUpdateClient/Operational | |
| event_id: 20, 24, 25, 31, 34, 35 | |
| - name: Microsoft-Windows-CodeIntegrity/Operational | |
| event_id: 3001, 3002, 3003, 3004, 3010, 3023 | |
| - name: Microsoft-Windows-WLAN-AutoConfig/Operational | |
| event_id: 8003, 10000, 10001, 8000, 8011, 8001, 11000, 11001, 11002, 12011, 12012, 12013, 8002, 11004, 11005, 11010, 11006 | |
| - name: Microsoft-Windows-Partition/Diagnostic #present win10 1709+ logs USB/drive serials ref https://df-stream.com/2018/05/partition-diagnostic-event-log-and-usb-device-tracking-p1/ | |
| event_id: 1006 | |
| - name: Microsoft-Windows-PrintService/Operational # to detect CVE 2021-1675 attempts failed and successfull https://twitter.com/MalwareJake/status/1410421445608476679# current config set for humio cloud | |
| - name: Microsoft-Windows-CAPI2/Operational | |
| event_id: 11, 70, 90 | |
| - name: Microsoft-Windows-GroupPolicy/Operational | |
| # event_id: 1126, 1129, 112 # related to GPO failing | |
| - name: Microsoft-Windows-AAD/Operational # Azure AD related log | |
| - name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController # must be enabled DC specific | |
| - name: Microsoft-Windows-Authentication/ProtectedUser-Client # must be enabled | |
| - name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController # must be enabled DC specific | |
| - name: Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController # must be enabled DC specific | |
| - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational # drivers loaded | |
| - name: Microsoft-Windows-NTLM/Operational | |
| event_id: 8001, 8002, 8003, 8004 # usefull for detemining where ntml is used to disable it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment