Inspired by Olaf Hartong's SYSMON modular and the awesome OSSEM project by the Hunter's Forge.
Started this project for documenting Windows logs and performing threat hunting in a sensible and manageable manner. OSSEM Modular is aimed to help when starting ingesting logs and troubleshoot in an easier way.
I will often only enable specific categories using auditpol and monitor those without having to worry about logs volume. Then i use OSSEM modular to injest only the related logs and perform the threat hunting exercises this way using Atomic Red Team i.e in smaller scale and building up on that.
At the moment this project contains Windows Security Logs, Sysmon logs and some Zeek lgos although i plan to add more event providers.
Security Event Logs categories included in the repo:
- Logon / Logoff Events
- Account Management Events
- Account Logon Events
- Object Access Events
- Detailed Tracking Events
- Privilege Use Events
- Policy Change Events
- DS Access Events
- System Events
Sysmon Event Logs categories included in the repo:
- Event Id 1: Process Creation
- Event Id 2: A process changed a file creation time
- Event Id 3: Network Connection
- Event Id 4: Sysmon service state changed
- Event Id 5: Process Terminated
- Event Id 6: Driver Loaded
- Event Id 7: Image Loaded
- Event Id 8: CreateRemoteThread
- Event Id 9: RawAccessRead
- Event Id 10: Process Access
- Event Id 11: FileCreate
- Event Id 12: RegistryEvent (Object create and delete)
- Event Id 13: RegistryEvent (Value Set)
- Event Id 14: RegistryEvent (Key and Value Rename)
- Event Id 15: FileCreateStreamHash
- Event Id 16: Sysmon Config State Changed
- Event Id 17: PipeEvent (Pipe Created)
- Event Id 18: PipeEvent (Pipe Connected)
- Event Id 19: WmiEvent (WmiEventFilter activity detected)
- Event Id 20: WmiEvent (WmiEventConsumer activity detected)
- Event Id 21: WmiEvent (WmiEventConsumerToFilter activity detected)
- Event Id 22: DNSEvent (DNS query)
- Event Id 23: FileDelete (A file delete was detected)
Events that according to Microsoft Docs are not active or dont produce any logs have been ommited.
If you want to adopt the complete pipelines config as is you can use either the complete Windows the Windows Security pipeline or the SYSMON pipeline otherwise implement log by log depending on your needs.
All credit for their hard work with OSSEM goes to Roberto Rodriguez and Jose Rodriguez
Problems
If you identify any of these open an issue indicating the log ID and the problem.
Notes
Fields marked as TBD in OSSEM have been populated to what i believe is appropriate. When OSSEM is updated i will update those as well.
As i could not generate all Zeek events i relied on sample logs file from here:
This repo is mainted for now only by me https://twitter.com/Sec_GroundZero