Event-Forwarding-Guidance
Event-Forwarding-Guidance copied to clipboard
nsacyber
Configuration guidance for implementing collection of security relevant Windows Event Log events by using Windows Event Forwarding. #nsacyber
8002,8003,8004 are not described correctly in the RecommendedEvents files. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker 8002 - allowed to run 8003 - would be blocked if enforcement was on 8004 - was blocked 8006 Would...
minor copy edits. formatting (e.g., bold, monospace) require SME review
I emailed [email protected] for more specific contact information Nov. 19th but have heard nothing back yet... I have connectivity between sources and collector, and have had events come in for...
I apologize if this is not the proper avenue, but it was the only one I could recognize. Is it listed anywhere what the baseline audit/advanced audit policy settings/GPOs that...
Change EventSource for Event wit ID=7045 (A service was installed in the system) to correct value.
Event with ID = 7045 from System log has incorrect source in section "Software and Service Installation" of "Recommended Events to Collect" document. Correct source for this event is "Service...
At least on Windows Server 2016, the name of the ETW Provider is `Microsoft-Windows-CertificateServicesClient-Lifecycle-System` with GUID `BC0669E1-A10D-4A78-834E-1CA3C806C93B`. In https://github.com/nsacyber/Event-Forwarding-Guidance/tree/master/Events it is `Microsoft-Windows-CertificateServicesClientLifecycle-System` for the EventSource
This PR may be more substantial than desired and so you choose to decline this, but that's fine, I'm only submitting these PRs in case they're of interest upstream. The...
