Articles and Notes

Update 2022 and Current Focus - Information Security Compliance

Mon, 23 May 2022 00:00:00 +0000

I have been really busy since my last post. In May, I started a new contract as Information Security Officer working as Lead ISO 27001 Implementor. After getting the company to be ISO 27001 compliant successfully in seven months, I started a new contract in parallel, then a few months later now into another industry entirely.

Most of what I have been doing, especially since early 2022m has been around these concepts:

Information Security Management and Governance
Risk Management
Information Security Compliance and Data Protection
Security Assessments and Testing
Anything ISO 27001 related (Security Awareness, Testing, Change Management, the whole Annexes) from May 2021

Getting (back) into also software.

Microsoft Exchange Logging - Hafnium and other Attack Scenarios

Tue, 09 Mar 2021 00:00:00 +0000

Exchange

Microsoft Exchange is a common attack surface, providing multiple entry points from the public/Internet facing to the enterprise network. Recently, Exchange hit the news due to the Hacker group known as #Hafnium doubled its hack count of Microsoft’s Exchange Servers up to nearly 60,000 globally.

There has been some previous reports of known attacks by Exchange. FireEye Red Team in 2019 conducted a red team pentest where you can see that initial compromise happens on OWA (Outlook Web App). This was cloned by red team on a look-alike domain, technically it’s a phishing attack but the compromise goes OWA.

Attackers persistence and domain escalation can happen as Microsoft Exchange binds to Active Directory. Attackers can harvest same credentials.

Exchange Log Collection

In addition to the Microsoft security update which included mitigation strategies here are also other items that one can look into securing Exchange:

Find indication of redirection (ie from fake OWA to real OWA)
Find signs of privesc (“being an Administrator on an Exchange server is enough to escalate to Domain Admin” from Duo)
Pentesting Microsoft Exchange
Writeup to harden Exchange

Of course the mitigation notes and security release updates are most important. They also mention going through IIS logs for ‘files identified as malicious have been accessed.’

Example Filebeat (general Exchange):

type: log

#confirm the path to the Microsoft Exchange Transport Logs. See the Open Office document to find where
paths:
 - /path/to/logs
#example
 #- F:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking\*.LOG

processors:
 - decode_csv_fields:
     fields:
        message: csv
     separator: ,
     ignore_missing: false
     overwrite_keys: true
     trim_leading_whitespace: false
     fail_on_error: true

Example Winlogbeat File (general Exchange):

winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: Security
name: System
name: MSExchange Management
name: MSExchange ADAccess
name: MSExchange Message
name: MSExchange Antispam
#OWA is client only - not relevant to server
#name: MSExchange OWA

NTP (Network Time Protocol) and Logging

Wed, 10 Feb 2021 00:00:00 +0000

About NTP

You may have services on your network that depend on NTP and accurate timestamps in addition to using the standardized ISO8601 format. These include DNS servers, Cryptography (certificate/signature validity) like being able to connect to a https website as well as ensuring non-repudiation and integrity via maintaining accurate timestamps in logs and especially audit logs. Inaccurate timestamps offer an inaccurate view of a sequence of events, thus making it difficult to obtain a timeframe of events in an IR.

Attack Example

From Cloudflare:

Most cryptography uses timestamps to limit certificate and signature validity periods. When connecting to a website, knowledge of the correct time ensures that the certificate you see is current and is not compromised by an attacker. When looking at logs, time synchronization makes sure that events on different machines can be correlated accurately. Certificates and logging infrastructure can break with minutes, hours or months of time difference.

Logrythm also offers a data sheet on time normalization here (fyi: not affiliated with them!).

Read more about the attacks on the wiki and Black Hat EU 14 paper.

Ways to set up or configure own NTP Servers

Windows servers utilize time.windows.com. For others, or to maintain your own there are a few options, depending on your own resources as well as criticality.

If seeking your own, the first step is to learn more about NTP Stratum model and the NTP Pool.

Own on-site Stratum 1 NTP Server

Is independent of other instances
Is independent of other sources
Good for secure networks
Attached to time-keeping device (Stratum 0)
Need to build or purchase as it requires special modules

You can buy your own NTP server, or even build one off hardware like Raspberry Pi.

Cost of own NTP server varies. For example, 3600 euro + 800 for other features (Ultra high bandwidth, built in DOS detection, security hardening). Up to 1000 euro (ie TIMENET Pro, POE-powered NTP Master Time Server, incl. 5 metre antenna).

To build your own the cost with Arduino or Raspberry module using RTC (real time clock) module is needed.

Own NTP server (Stratum 3) that obtain time from Stratum 2 servers

Uses “industry accepted time sources” - For example depending on the country there may be universities that host such servers, also there are more hosted privately and at other companies.
Do not require expensive hardware
Should be implemented with PKI infra, public key authentication, pre-shared key

Own NTP server that uses the NTP pool

NTP.org uses round-robin DNS to allocate the IP address of a random time server in the pool. The geographically closer servers will provide the most accurate time
NTP takes the time supplied from your 4 allocated time servers and uses that information collectively to calculate an accurate time. No one source is considered authoritative.
Select at least 4 domain names from ntp.org
More info at http://support.ntp.org/bin/view/Servers/NTPPoolServers.

Have NTP client already installed on Linux server?

Check on these servers:

timedatectl

If Network time on: yes it is synced with NTP If NTP synchronized: no the clock synced through another tool. May also mean systemd didn’t sync…

If Network time on: no run sudo timedatectl set-ntp true

Option: ntpdate Client - suitable for those not connected to Internet

Use timedatectl | grep "Time zone" Debian: cat /etc/timezone

Collecting logs from NTP Server

grep log /etc/ntp.conf will show the location of where the logs are made.

Can change this location to another place otherwise logs normally go to /var/messages in /opt/ntp/ntp.log

How to check NTP client sync logs

Please see this Microsoft Technet support site for the answer.

NTP Authentication

Please see Galsys to read more about NTP authentication.

Related: NTP key-gen

Collecting logs from Windows Time Server on ADDC

Audit changes to these registry keys HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type (Values changed in the 'Value' data box) – set to NTP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags (DWORD Value changes in the 'Value' data box) – set to 5

As usual, the latest advice comes from Microsoft’s own documentation.

Defending NTP Server Notes

Considering configuring the firewall rules to provide exception for the 1 NTP server. Tighter ACL – ie enforce requests only from valid sources
Traffic filtering
Ensure no overprovisioning
Block from the open Internet, closed only.
Make sure it is upgraded
Configure NTP authentication (ie RedHat). Maybe needed for compliance reasons ie DoD, FIPS 140-2, etc.
Disable monlist
Check http://openntpproject.org/ to see if the NTP server is on the public list
Extending semantics of a Reference Identifier field in an NTP packet when a Stratum field is 0.

Setting up OpenVPN Logging - including YAML Config Snippets

Sun, 07 Feb 2021 00:00:00 +0000

Example Windows

input {
  file {
         path => "C:/path/to/openvpn/data.log"
         start_position => "beginning"
    }
}

filter {
  #grok {
    #match => {
      #"message" => "%{SYSLOGBASE} %{USER:user}/%{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:OpenVPNUser}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
    #}
    #If OpenVPN logs contain user details
    #remove_field => ["OpenVPNUser"]

    #match => {
      #"message" => "%{SYSLOGBASE} %{IP:source_ip}:%{POSINT:source_port} SENT #CONTROL \[%{USER:user}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
    #}
    match => {
    "'%{DATA:msg}'"
    }
  }

  geoip {
    source => "source_ip"
  }

#Add tag for authentication allowed
  if [msg] =~ "PUSH_REPLY" {
    mutate {
      replace => { type => "openvpn_access" }
    }
  }

#Add tag for authentication failed logs
  if [msg] =~ "AUTH_FAILED" {
    mutate {
      replace => { type => "openvpn_err" }
    }
  }

#Add tag for WARNING Logs
  if [msg] =~ "WARNING" {
    mutate {
      replace => { type => "openvpn_warn" }
    }
  }

#should be able to also handle "Apr 7 18:34:54"
#Once the time format is known, change this line
  date {
    match => ["timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "YYYY-MM-DD HH:MM:SS.Z", "YYYY-MM-DD HH:MM:SS Z", "MMM d HH:MM:ss"]
    target => "@timestamp"
  }

  #if "_grokparsefailure" in [tags] {
    #drop { }
  #}
}

output {
  elasticsearch {
    hosts => ["elasticsearch-host:9200"]
    index => "openvpn-%{+YYYY.MM.dd}"
  }
  # debug
  # stdout { codec => rubydebug }
}

  beats {
    port => xxx
  }

The above sample is not written by me. Alas I have not been able to yet find the origins of this, as it has been residing in my files but happy to reference the source once I can.

Audit Logging

Deploy file integrity monitoring of the following critical locations, but will ultimately depend on where configs are placed.

Where to obtain OpenVPN log file for…

Linux:

The OpenVPN log file is defined on the /etc/openvpn/server.conf. The verbosity of the log is also defined in the server.conf file.

There will also be authentication process, such as preauthorization, authentication, enrolment events, and messages stating in “/var/log/messages” in addition to the OpenVPN log file.

Windows

Potential paths include \Program Files\OpenVPN\log and C:\Program Files\OpenVPN\config\

#Linux server config example
/etc/openvpn/server.conf

#Client config files example
<client name/>.conf

#Windows config files example
C:\Program Files\OpenVPN\config\*

OpenVPN Config Tests

Load the log sample and change the input path to the right location.
When a user successfully authenticates, a type is created “openvpn_access”
When a user does not successfully authenticates, a type is created “openvpn_err”.
Reload the configuration and check that Elastic does not reindex the event.
Change the OpenVPN configuration on the client and see if it triggers a file integrity monitoring event.
Change the OpenVPN configuration on the server and see if it triggers a file integrity monitoring event.
Windows -> Client connects to OpenVPN server (message is logged with type "openvpn_access"), then successful log in (Event ID 4624) is then logged.

YMMV! Your mileage may vary.

YAML Config Snippet for HyperV Audit Logging Event Locations

Sun, 07 Feb 2021 00:00:00 +0000

The following is an Auditbeat YML configuration snippet utilizing the file_integrity module of potential locations of interest to monitor changes on HyperV for auditing purposes.

- module: file_integrity
  paths:
#Individual files to monitor
  - C:\ProgramData\Microsoft\Event Viewer\Views\ServerRoles\Virtualization.Events.xml
  - C:\ProgramData\Microsoft\Microsoft\Windows\Hyper-V\InitialStore.xml
#Files in C:\Windows\System32\
  - C:\Windows\System32\wnetvsc.inf
  - C:\Windows\System32\ws3cap.inf
  - C:\Windows\System32\wstorflt.inf
  - C:\Windows\System32\wstorvsc.inf
  - C:\Windows\System32\wvid.inf
  - C:\Windows\System32\wvmbus.inf
  - C:\Windows\System32\wvmbusid.inf
  - C:\Windows\System32\wvmbusvideo.inf
  - C:\Windows\System32\wvmic.inf
  - C:\Windows\System32\wvms_mp.inf
  - C:\Windows\System32\wvms_pp.inf
  #Files in C:\Windows\System32\ - AMD Hyper-V only
  - C:\Windows\System32\hvac64.exe
  #Files in C:\Windows\System32\drivers\en-US
  - C:\Windows\System32\drivers\en-US\isoparser.sys.mui
  - C:\Windows\System32\drivers\en-US\hvboot.sys.mui
  - C:\Windows\System32\drivers\en-US\vmbus.sys.mui
  - C:\Windows\System32\drivers\en-US\netvsc50.sys.mui
  - C:\Windows\System32\drivers\en-US\netvsc60.sys.mui
  - C:\Windows\System32\drivers\en-US\passthruparser.sys.mui
  - C:\Windows\System32\drivers\en-US\storflt.sys.mui
  - C:\Windows\System32\drivers\en-US\vhdparser.sys.mui
  #Files in C:\Windows\System32\DriverStore\en-US\
  - C:\Windows\System32\DriverStore\en-US\wnetvsc.inf_loc
  - C:\Windows\System32\DriverStore\en-US\ws3cap.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wstorflt.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wstorvsp.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvid.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvmbus.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvmbushid.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvmbusvideo.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvmic.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvms_mp.inf_loc
  - C:\Windows\System32\DriverStore\en-US\wvms_pp.inf_loc
  #Files in C:\Windows\System32\en-US\
  - C:\Windows\System32\en-US\nvspwmi.dll.mui
  - C:\Windows\System32\en-US\RemoteFileBrowse.dll.mui
  - C:\Windows\System32\en-US\SynthNic.dll.mui
  - C:\Windows\System32\en-US\SynthStor.dll.mui
  - C:\Windows\System32\en-US\vhdsvc.dll.mui
  - C:\Windows\System32\en-US\vmclusex.dll.mui
  - C:\Windows\System32\en-US\vmclusrex.dll.mui
  - C:\Windows\System32\en-US\vmicheartbeat.dll.mui
  - C:\Windows\System32\en-US\vmickvpexchange.dll.mui
  - C:\Windows\System32\en-US\vmicshutdown.dll.mui
  - C:\Windows\System32\en-US\vmicshutdown.dll.mui
  - C:\Windows\System32\en-US\vmictimesync.dll.mui
  - C:\Windows\System32\en-US\vmicvss.dll.mui
  - C:\Windows\System32\en-US\vmms.exe.mui
  - C:\Windows\System32\en-US\vmswitch.sys.mui
  - C:\Windows\System32\en-US\vmwp.exe.mui
  - C:\Windows\System32\en-US\vsconfig.dll.mui
  - C:\Windows\System32\en-US\WindowsVirtualization.mfl
  - C:\Windows\System32\en-US\WindowsVirtualizationUninstall.mfl
  - C:\Windows\System32\en-US\SnapInAbout.dll.mui
  - C:\Windows\System32\en-US\virtmgmt.msc
  #Files in C:\Program Files\Hyper-V
  - C:\Program Files\Hyper-V\InspectVhdDialog.exe
  - C:\Program Files\Hyper-V\InspectVhdDialog.resources.exe
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.resources.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.Management.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.Management.resources.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.RdpClientAxHost.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.RdpClientInterop.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.Settings.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.Settings.resources.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.VMBrowser.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.VMBrowser.resources.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.Wizards.dll
  - C:\Program Files\Hyper-V\Microsoft.Virtualization.Client.Wizards.resources
  - C:\Program Files\Hyper-V\SnapInAbout.dll
  - C:\Program Files\Hyper-V\virtmgmt.msc
  - C:\Program Files\Hyper-V\vmconnect.exe
  - C:\Program Files\Hyper-V\vmbus.cat
  - C:\Program Files\Hyper-V\vmstorage.cat
  - C:\Program Files\Hyper-V\vmbusvideo.cat
  - C:\Program Files\Hyper-V\vmic.cat
  - C:\Program Files\Hyper-V\netvsc.cat
  - C:\Program Files\Hyper-V\vmbushid.cat
  - C:\Program Files\Hyper-V\vmginst.cat
  #exclude_files:
  #include_files: []
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false

YMMV! Your mileage may vary.

YAML Config with Event IDs of Active Directory Domain Service Events with Criticality Info

Sun, 07 Feb 2021 00:00:00 +0000

The following are Active Directory Domain Service Events with criticality severity information noted in the comments, based on this Appendix of Events to Monitor.

- name: Security
#this is the Path in Windows QueryXML
- name: Directory Service
#Events where potential criticality is high
  processors:
    - drop_event.when.not.or:
      - equals.winlog.event_id: 4618
      - equals.winlog.event_id: 4649
      - equals.winlog.event_id: 4719
      - equals.winlog.event_id: 4765
      - equals.winlog.event_id: 4766
      - equals.winlog.event_id: 4794
      - equals.winlog.event_id: 4897
      - equals.winlog.event_id: 4964
      - equals.winlog.event_id: 5124
      - equals.winlog.event_id: 1102
#Events where potential criticality is medium
      - equals.winlog.event_id: 4621
      - equals.winlog.event_id: 4675
      - equals.winlog.event_id: 4692
      - equals.winlog.event_id: 4693
      - equals.winlog.event_id: 4706
      - equals.winlog.event_id: 4713
      - equals.winlog.event_id: 4714
      - equals.winlog.event_id: 4715
      - equals.winlog.event_id: 4716
      - equals.winlog.event_id: 4724
      - equals.winlog.event_id: 4727
      - equals.winlog.event_id: 4735
      - equals.winlog.event_id: 4737
      - equals.winlog.event_id: 4739
      - equals.winlog.event_id: 4754
      - equals.winlog.event_id: 4755
      - equals.winlog.event_id: 4764
      - equals.winlog.event_id: 4764
      - equals.winlog.event_id: 4780
      - equals.winlog.event_id: 4816
      - equals.winlog.event_id: 4865
      - equals.winlog.event_id: 4866
      - equals.winlog.event_id: 4867
      - equals.winlog.event_id: 4868
      - equals.winlog.event_id: 4870
      - equals.winlog.event_id: 4882
      - equals.winlog.event_id: 4885
      - equals.winlog.event_id: 4890
      - equals.winlog.event_id: 4892
      - equals.winlog.event_id: 4896
      - equals.winlog.event_id: 4906
      - equals.winlog.event_id: 4907
      - equals.winlog.event_id: 4908
      - equals.winlog.event_id: 4912
      - equals.winlog.event_id: 4960
      - equals.winlog.event_id: 4961
      - equals.winlog.event_id: 4962
      - equals.winlog.event_id: 4963
      - equals.winlog.event_id: 4965
      - equals.winlog.event_id: 4976
      - equals.winlog.event_id: 4977
      - equals.winlog.event_id: 4978
      - equals.winlog.event_id: 4983
      - equals.winlog.event_id: 4984
      - equals.winlog.event_id: 5027
      - equals.winlog.event_id: 5028
      - equals.winlog.event_id: 5029
      - equals.winlog.event_id: 5030
      - equals.winlog.event_id: 5035
      - equals.winlog.event_id: 5037
      - equals.winlog.event_id: 5038
      - equals.winlog.event_id: 5120
      - equals.winlog.event_id: 5121
      - equals.winlog.event_id: 5122
      - equals.winlog.event_id: 5123
      - equals.winlog.event_id: 5376
      - equals.winlog.event_id: 5377
      - equals.winlog.event_id: 5453
      - equals.winlog.event_id: 5480
      - equals.winlog.event_id: 5483
      - equals.winlog.event_id: 5484
      - equals.winlog.event_id: 5485
      - equals.winlog.event_id: 6145
      - equals.winlog.event_id: 6273
      - equals.winlog.event_id: 6274
      - equals.winlog.event_id: 6275
      - equals.winlog.event_id: 6276
      - equals.winlog.event_id: 6277
      - equals.winlog.event_id: 6278
      - equals.winlog.event_id: 6279
      - equals.winlog.event_id: 6280
      - equals.winlog.event_id: 24586
      - equals.winlog.event_id: 24592
      - equals.winlog.event_id: 24593
      - equals.winlog.event_id: 24594
#Events where potential criticality is low
      - equals.winlog.event_id: 4608
      - equals.winlog.event_id: 4609
      - equals.winlog.event_id: 4610
      - equals.winlog.event_id: 4611
      - equals.winlog.event_id: 4612
      - equals.winlog.event_id: 4614
      - equals.winlog.event_id: 4615
      - equals.winlog.event_id: 4616
      - equals.winlog.event_id: 4624
      - equals.winlog.event_id: 4625
      - equals.winlog.event_id: 4634
      - equals.winlog.event_id: 4647
      - equals.winlog.event_id: 4648
      - equals.winlog.event_id: 4656
      - equals.winlog.event_id: 4657
      - equals.winlog.event_id: 4658
      - equals.winlog.event_id: 4660
      - equals.winlog.event_id: 4661
      - equals.winlog.event_id: 4662
      - equals.winlog.event_id: 4663
      - equals.winlog.event_id: 4672
      - equals.winlog.event_id: 4673
      - equals.winlog.event_id: 4674
      - equals.winlog.event_id: 4688
      - equals.winlog.event_id: 4689
      - equals.winlog.event_id: 4690
      - equals.winlog.event_id: 4691
      - equals.winlog.event_id: 4696
      - equals.winlog.event_id: 4697
      - equals.winlog.event_id: 4698
      - equals.winlog.event_id: 4699
      - equals.winlog.event_id: 4700
      - equals.winlog.event_id: 4701
      - equals.winlog.event_id: 4702
      - equals.winlog.event_id: 4704
      - equals.winlog.event_id: 4705
      - equals.winlog.event_id: 4707
      - equals.winlog.event_id: 4717
      - equals.winlog.event_id: 4718
      - equals.winlog.event_id: 4720
      - equals.winlog.event_id: 4722
      - equals.winlog.event_id: 4723
      - equals.winlog.event_id: 4725
      - equals.winlog.event_id: 4726
      - equals.winlog.event_id: 4728
      - equals.winlog.event_id: 4729
      - equals.winlog.event_id: 4730
      - equals.winlog.event_id: 4731
      - equals.winlog.event_id: 4732
      - equals.winlog.event_id: 4733
      - equals.winlog.event_id: 4734
      - equals.winlog.event_id: 4738
      - equals.winlog.event_id: 4740
      - equals.winlog.event_id: 4741
      - equals.winlog.event_id: 4742
      - equals.winlog.event_id: 4743
      - equals.winlog.event_id: 4744
      - equals.winlog.event_id: 4745
      - equals.winlog.event_id: 4746
      - equals.winlog.event_id: 4747
      - equals.winlog.event_id: 4748
      - equals.winlog.event_id: 4749
      - equals.winlog.event_id: 4750
      - equals.winlog.event_id: 4751
      - equals.winlog.event_id: 4752
      - equals.winlog.event_id: 4753
      - equals.winlog.event_id: 4756
      - equals.winlog.event_id: 4757
      - equals.winlog.event_id: 4758
      - equals.winlog.event_id: 4759
      - equals.winlog.event_id: 4760
      - equals.winlog.event_id: 4761
      - equals.winlog.event_id: 4762
      - equals.winlog.event_id: 4767
      - equals.winlog.event_id: 4768
      - equals.winlog.event_id: 4769
      - equals.winlog.event_id: 4770
      - equals.winlog.event_id: 4771
      - equals.winlog.event_id: 4772
      - equals.winlog.event_id: 4774
      - equals.winlog.event_id: 4775
      - equals.winlog.event_id: 4776
      - equals.winlog.event_id: 4778
      - equals.winlog.event_id: 4779
      - equals.winlog.event_id: 4781
      - equals.winlog.event_id: 4783
      - equals.winlog.event_id: 4785
      - equals.winlog.event_id: 4786
      - equals.winlog.event_id: 4787
      - equals.winlog.event_id: 4788
      - equals.winlog.event_id: 4789
      - equals.winlog.event_id: 4790
      - equals.winlog.event_id: 4869
      - equals.winlog.event_id: 4871
      - equals.winlog.event_id: 4872
      - equals.winlog.event_id: 4873
      - equals.winlog.event_id: 4874
      - equals.winlog.event_id: 4875
      - equals.winlog.event_id: 4876
      - equals.winlog.event_id: 4877
      - equals.winlog.event_id: 4878
      - equals.winlog.event_id: 4879
      - equals.winlog.event_id: 4880
      - equals.winlog.event_id: 4881
      - equals.winlog.event_id: 4883
      - equals.winlog.event_id: 4884
      - equals.winlog.event_id: 4886
      - equals.winlog.event_id: 4887
      - equals.winlog.event_id: 4888
      - equals.winlog.event_id: 4889
      - equals.winlog.event_id: 4891
      - equals.winlog.event_id: 4893
      - equals.winlog.event_id: 4894
      - equals.winlog.event_id: 4895
      - equals.winlog.event_id: 4898
      - equals.winlog.event_id: 5136
      - equals.winlog.event_id: 5137
  provider:
    - Microsoft-Windows-ActiveDirectory_DomainService

YMMV! Your mileage may vary.

YAML config for the Palantir Windows Event Forwarding Guidance

Sat, 06 Feb 2021 00:00:00 +0000

Duplicates from the “Security Auditing and Monitoring Reference” and “Exploit Protection Events” YAML configuration files are already taken out.

IDs are from the Palantir WEF Guidance repo.

Follow the comments to ascertain which section pertains to which config.

  #Account Management: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Account-Management.xml
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4765

  #Active Directory: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Active-Directory.xml
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 14080
        - equals.winlog.event_id: 4717

  #Application Crashes: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Application-Crashes.xml
  - name: Application
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1000
        - equals.winlog.event_id: 1002
    level: error
    provider:
      - Application Error
      - Application Hang
  - name: Application
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1001
    level: info
    provider:
      - Windows Error Reporting

  #AppLocker: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Applocker.xml
  - name: Microsoft-Windows-AppLocker/EXE and DLL
  - name: Microsoft-Windows-AppLocker/MSI and Script
  - name: Microsoft-Windows-AppLocker/Packaged app-Execution
  - name: Microsoft-Windows-AppLocker/Packaged app-Deployment

  #Authentication: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Authentication.xml
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4624
        - equals.winlog.event_id: 4625
        - equals.winlog.event_id: 4626
        - equals.winlog.event_id: 4634
        - equals.winlog.event_id: 4647
        - equals.winlog.event_id: 4675
        - equals.winlog.event_id: 4800
        - equals.winlog.event_id: 4801
        - equals.winlog.event_id: 4802
        - equals.winlog.event_id: 4803
        - equals.winlog.event_id: 5378

  #Autoruns: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Autoruns.xml
  #make sure to set up the scheduled autoruns service
  - name: Autoruns

  #Bits Client: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Bits-Client.xml
  - name: Microsoft-Windows-Bits-Client/Operational

  #Code Integrity: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Code-Integrity.xml
  - name: Microsoft-Windows-CodeIntegrity/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 3001
        - equals.winlog.event_id: 3002
        - equals.winlog.event_id: 3003
        - equals.winlog.event_id: 3004
        - equals.winlog.event_id: 3010
        - equals.winlog.event_id: 3023
    level: error, warning
    provider:
      - Microsoft-Windows-CodeIntegrity

  #DNS: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/DNS.xml
  - name: Microsoft-Windows-DNS-Client/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 3008
  - name: DNS Server
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 150
        - equals.winlog.event_id: 770
  #Check if DNS Server has audit enabled
  - name: Microsoft-Windows-DNSServer/Audit
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 541

  #Device Guard: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Device-Guard.xml
  - name: Microsoft-Windows-DeviceGuard/Operational

  #Drivers: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Drivers.xml
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 219
    level: warning
    provider:
      - Microsoft-Windows-Kernel-PnP
  - name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 2004

  #EMET: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/EMET.xml
  - name: Application
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 2
    level: warning, error
    provider:
      - EMET

  #EventLog Diagnostics: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Event-Log-Diagnostics.xml
  - name: System
    provider:
      - Microsoft-Windows-Eventlog
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1100

  #External Devices: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/External-Devices.xml
  - name: Microsoft-Windows-Kernel-PnP/Configuration
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 400
        - equals.winlog.event_id: 410
    level: info
    provider:
      - Microsoft-Windows-Kernel-PnP

  #Windows Firewall: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Firewall.xml
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 2004
        - equals.winlog.event_id: 2005
        - equals.winlog.event_id: 2006
        - equals.winlog.event_id: 2033
    level: info, error
    provider:
      - Microsoft-Windows-Windows Firewall With Advanced Security

  #GPO Errors: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Group-Policy-Errors.xml
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1085
        - equals.winlog.event_id: 1125
        - equals.winlog.event_id: 1127
        - equals.winlog.event_id: 1129
    level: error
    provider:
      - Microsoft-Windows-GroupPolicy

  #Kerberos: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Kerberos.xml
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4769
        - equals.winlog.event_id: 4770
        - equals.winlog.event_id: 4773

  #Log Deletion System: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Log-Deletion-System.xml
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 104
    level: info
    provider:
      - Microsoft-Windows-Eventlog

  #MSI Packages: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/MSI-Packages.xml
  - name: Application
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1022
        - equals.winlog.event_id: 1033
    provider:
      - MsiInstaller
  - name: Setup
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 2
        - equals.winlog.event_id: 0
    provider:
      - Microsoft-Windows-Servicing
  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 903
        - equals.winlog.event_id: 904
    provider:
      - Microsoft-Windows-Application-Experience
  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 905
        - equals.winlog.event_id: 906
    provider:
      - Microsoft-Windows-Application-Experience
  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 907
        - equals.winlog.event_id: 908
    provider:
      - Microsoft-Windows-Application-Experience
  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 800
    provider:
      - Microsoft-Windows-Application-Experience

  #Microsoft Office: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Microsoft-Office.xml
  - name: OAlerts

  #NTML: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/NTLM.xml
  - name: Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    provider:
      - Microsoft-Windows-NTLM
  - name: Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    provider:
      - Microsoft-Windows-NTLM
  - name: Microsoft-Windows-NTLM/Operational
    provider:
      - Microsoft-Windows-NTLM

  #Operating System: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Operating-System.xml
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 12
        - equals.winlog.event_id: 13
    provider:
      - Microsoft-Windows-Kernel-General
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4608
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1074
    provider:
      - USER32
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 16962
        - equals.winlog.event_id: 16965
        - equals.winlog.event_id: 16968
        - equals.winlog.event_id: 16969
  - name: Microsoft-Windows-SMBServer/Audit
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 3000
    provider:
      - Microsoft-Windows-SMBServer
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 41
        - equals.winlog.event_id: 1001
        - equals.winlog.event_id: 6008
        - equals.winlog.event_id: 4621

  #Windows PowerShell: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Powershell.xml
  - name: Microsoft-Windows-PowerShell/Operational
  - name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
  - name: Windows PowerShell

  #Print: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Print.xml
  - name: Microsoft-Windows-PrintService/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 307
    level: info
    provider:
      - Microsoft-Windows-PrintService

  #Services: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Services.xml
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 7022
        - equals.winlog.event_id: 7023
        - equals.winlog.event_id: 7024
        - equals.winlog.event_id: 7026
        - equals.winlog.event_id: 7031
        - equals.winlog.event_id: 7032
        - equals.winlog.event_id: 7034
    level: info, critical, error, warning
    provider:
      - Service Control Manager
  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 7045
        - equals.winlog.event_id: 7040
    level: info, critical, error, warning
    provider:
      - Service Control Manager

  #Shares: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Shares.xml
  - name: Microsoft-Windows-SMBClient/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 30622
        - equals.winlog.event_id: 30624
  - name: Microsoft-Windows-SMBClient/Security
  - name: Microsoft-Windows-SMBServer/Security

  #Smart Card: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Smart-Card.xml
  - name: Microsoft-Windows-SmartCard-Audit/Authentication

  #Software Restrictions: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Software-Restriction-Policies.xml
  - name: Application
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 865
        - equals.winlog.event_id: 866
        - equals.winlog.event_id: 867
        - equals.winlog.event_id: 868
        - equals.winlog.event_id: 882
    provider:
      - Microsoft-Windows-SoftwareRestrictionPolicies

  #Sysmon: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Sysmon.xml
  - name: Microsoft-Windows-Sysmon/Operational

  #System Time Change: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/System-Time-Change.xml
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4616

  #Task Scheduler: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Task-Scheduler.xml
  - name: Microsoft-Windows-TaskScheduler/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 106
        - equals.winlog.event_id: 129
        - equals.winlog.event_id: 141
        - equals.winlog.event_id: 142
        - equals.winlog.event_id: 200
        - equals.winlog.event_id: 201
    provider:
      - Microsoft-Windows-TaskScheduler

  #Terminal Services: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Terminal-Services.xml
  - name: Microsoft-Windows-TerminalServices-Gateway/Admin
  - name: Microsoft-Windows-TerminalServices-Gateway/Operational
  - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
  - name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
  - name: Microsoft-Windows-TerminalServices-PnPDevices/Admin
  - name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
  - name: Microsoft-Windows-TerminalServices-Printers/Admin
  - name: Microsoft-Windows-TerminalServices-Printers/Operational
  - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
  - name: Microsoft-Windows-TerminalServices-ServerUSBDevices/

  #WMI: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/WMI.xml
  - name: Microsoft-Windows-WMI-Activity/Operational
  - name: Microsoft-Windows-TPM-WMI

  #Windows Defender: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Defender.xml
  - name: Microsoft-Windows-Windows Defender/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1006
        - equals.winlog.event_id: 1007
        - equals.winlog.event_id: 1008
        - equals.winlog.event_id: 1009
  - name: Microsoft-Windows-Windows Defender/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1116
        - equals.winlog.event_id: 1117
        - equals.winlog.event_id: 1118
        - equals.winlog.event_id: 1119

  #Windows Update: https://github.com/palantir/windows-event-forwarding/blob/master/wef-subscriptions/Windows-Updates.xml
  - name: Microsoft-Windows-WindowsUpdateClient/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 19
        - equals.winlog.event_id: 20
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 25
        - equals.winlog.event_id: 31
        - equals.winlog.event_id: 34
        - equals.winlog.event_id: 35
    level: error
    provider:
      - Microsoft-Windows-WindowsUpdateClient
  - name: Setup
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1009
    level: info
    provider:
      - Microsoft-Windows-Servicing

YMMV! Your mileage may vary.

YAML Config Snippet of JPCERT Lateral Movement Events to Monitor (Windows)

Sat, 06 Feb 2021 00:00:00 +0000

The following are lateral movement events based on JPCERT.

Follow the comments for the name of the source of lateral movement (ie command execution, remote login, etc).

These IDs are related to the following: PsExec, wmic, schtasks, wmiexec.vbs, BeginX, winrm, BITS, pwdump7, pwdumpx, quarks_pwdump, mimikatz, wce, gsecdump, lslass, acehash, find-gpo-passwr,ds get-gpppassword, invoke-mimikatz, out-minidump, powermemory, webbrowserpass, htran, fake_wpad, rdp_remote, wce_remote_login, mimikatz_remotelogin, ms14-058, ms15-078, sdb-uac-bypass, ms14-068, golden_ticket_mimikatz, silver_ticket_mimikatz, ntdsutil, vssadmin, csvde, ldifde, dsquery, dcdiag, nltest, nmap, net_user, net_use, sdelete, timestomp, klist_purse, wevutil

Double check that events can be collected in the first place, for example, ensure to enable Sysmton (though you may already know that!)

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1
        - equals.winlog.event_id: 2
        - equals.winlog.event_id: 3
        - equals.winlog.event_id: 5
        - equals.winlog.event_id: 8
        - equals.winlog.event_id: 9
        - equals.winlog.event_id: 10
        - equals.winlog.event_id: 11
        - equals.winlog.event_id: 12
        - equals.winlog.event_id: 13

  - name: Security
    event_id:  4611
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4624
        - equals.winlog.event_id: 4656
        - equals.winlog.event_id: 4658
        - equals.winlog.event_id: 4660
        - equals.winlog.event_id: 4661
        - equals.winlog.event_id: 4663
        - equals.winlog.event_id: 4670
        - equals.winlog.event_id: 4672
        - equals.winlog.event_id: 4673
        - equals.winlog.event_id: 4674
        - equals.winlog.event_id: 4674
        - equals.winlog.event_id: 4688
        - equals.winlog.event_id: 4689
        - equals.winlog.event_id: 4690
        - equals.winlog.event_id: 4703
        - equals.winlog.event_id: 4726
        - equals.winlog.event_id: 4728
        - equals.winlog.event_id: 4737
        - equals.winlog.event_id: 4768
        - equals.winlog.event_id: 4769
        - equals.winlog.event_id: 4771
        - equals.winlog.event_id: 4776
        - equals.winlog.event_id: 4779
        - equals.winlog.event_id: 4904
        - equals.winlog.event_id: 4905
        - equals.winlog.event_id: 5140
        - equals.winlog.event_id: 5152
        - equals.winlog.event_id: 5156
        - equals.winlog.event_id: 5158
        - equals.winlog.event_id: 5159
        - equals.winlog.event_id: 5447
        - equals.winlog.event_id: 8222

  - name: System
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 104, 7036, 7045, 20001

  - name: Application
  processors:
    - drop_event.when.not.or:
      - equals.winlog.event_id: 102
      - equals.winlog.event_id: 105
      - equals.winlog.event_id: 300
      - equals.winlog.event_id: 216
      - equals.winlog.event_id: 302
      - equals.winlog.event_id: 2001
      - equals.winlog.event_id: 2003
      - equals.winlog.event_id: 2005
      - equals.winlog.event_id: 2006

  - name: Microsoft-Windows-Kernel-PnPConfig/Configuration
  processors:
    - drop_event.when.not.or:
      - equals.winlog.event_id: 1
      - equals.winlog.event_id: 4
      - equals.winlog.event_id: 400
      - equals.winlog.event_id: 410

  - name: Microsoft-Windows-WinRM/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4
        - equals.winlog.event_id: 6
        - equals.winlog.event_id: 8
        - equals.winlog.event_id: 10
        - equals.winlog.event_id: 11
        - equals.winlog.event_id: 13
        - equals.winlog.event_id: 15
        - equals.winlog.event_id: 16
        - equals.winlog.event_id: 29
        - equals.winlog.event_id: 30
        - equals.winlog.event_id: 31
        - equals.winlog.event_id: 33
        - equals.winlog.event_id: 80
        - equals.winlog.event_id: 81
        - equals.winlog.event_id: 82
        - equals.winlog.event_id: 83
        - equals.winlog.event_id: 132
        - equals.winlog.event_id: 134
        - equals.winlog.event_id: 143
        - equals.winlog.event_id: 166
        - equals.winlog.event_id: 169
        - equals.winlog.event_id: 192
        - equals.winlog.event_id: 193

  - name: Microsoft-Windows-TerminalServices-RDPClient/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 1024
        - equals.winlog.event_id: 1026
        - equals.winlog.event_id: 1028
        - equals.winlog.event_id: 1029
        - equals.winlog.event_id: 1105

  - name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 261
        - equals.winlog.event_id: 1149

  - name: Microsoft-Windows-WMI-Activity/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 5857

  - name: Microsoft-Windows-TaskScheduler/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 106
        - equals.winlog.event_id: 129
        - equals.winlog.event_id: 200
        - equals.winlog.event_id: 201

  - name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 21
        - equals.winlog.event_id: 24
        - equals.winlog.event_id: 25

  - name: Microsoft-Windows-TaskScheduler/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 106
        - equals.winlog.event_id: 129
        - equals.winlog.event_id: 200
        - equals.winlog.event_id: 201

  - name: Microsoft-Windows-Bits-Client/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 3
        - equals.winlog.event_id: 4
        - equals.winlog.event_id: 59
        - equals.winlog.event_id: 60

  - name: Microsoft-Windows-Application-Experience/Program-Telemetry
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 500

  - name: Microsoft-Windows-PowerShell/Operational
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4104
        - equals.winlog.event_id: 8193
        - equals.winlog.event_id: 8194
        - equals.winlog.event_id: 8195
        - equals.winlog.event_id: 8196
        - equals.winlog.event_id: 8197
        - equals.winlog.event_id: 12039
        - equals.winlog.event_id: 40961
        - equals.winlog.event_id: 40962
        - equals.winlog.event_id: 53504

YMMV! Your mileage may vary.

YAML config for NSA Events to Monitor List

Fri, 05 Feb 2021 00:00:00 +0000

  - name: Security

  - name: Application

  - name: System

  # define Account Usage events in the Security channel
  - name: Security
    event_id: 4740, 4648, 4781, 4733, 4776, 5376, 5377, 4625, 300, 4634, 4672, 4720, 4722, 4782, 4793, 4731, 4735, 4766, 4765, 4624, 4726, 4725, 4767, 4728, 4732, 4756, 4704

  # define Account Usage events in the Application channel
  - name: Application
    event_id: 1518, 1511

  # define Account Usage events in LSA channel
  - name: Microsoft-Windows-LSA/Operational
    event_id: 300

  # define Application Crashes event in the Application channel
  - name: Application
    event_id: 1000, 1002, 1001

  # define Application Crashes event in the System channel
  - name: Microsoft-Windows-WER-SystemErrorReporting
    event_id: 1001

  # define Application Whitelisting events in AppLocker
  - name: Microsoft-Windows-AppLocker/Packaged app-Deployment, Microsoft-Windows-AppLocker/Packaged app-Execution, Microsoft-Windows-AppLocker/EXE and DLL, Microsoft-Windows-AppLocker/MSI and Script
    event_id: 8023, 8020, 8002, 8003, 8004, 8006, 8007, 8005

  # define Application Whitelisting events in Security Channel
  - name: Security
    event_id: 4688, 4689

  # define Application Whitelisting events
  - name: Microsoft-Windows-SoftwareRestrictionPolicies
    event_id: 865, 866, 867, 868, 882

  # define Boot Events in the System channel
  - name: System
    event_id: 13, 12

  # define Boot Events in the User32 channel
  - name: User32
    event_id: 1074

  # define Certificate Services events in the Application channel
  - name: Application
    event_id:  95

  # define Certificate Services events in the Security channel
  - name: Security
    event_id: 4886, 4890, 4874, 4873, 4870, 4887, 4885, 4899, 4896

  # define Certificate Services events in the WindowsCertificateServices channel
  - name: Microsoft-Windows-CertificateServicesClientLifecycle-System
    event_id: 1006, 1004, 1007, 1003, 1001, 1002

  # define Clearing EventLogs events in the Security channel
  - name: Security
    event_id: 1100, 1102

  # define Clearing EventLogs events in the System channel
  - name: Security
    event_id: 104

  # define DNS and Directory Services events in the Security channel
  - name: Security
    event_id: 5137, 5141, 5136, 5139, 5138

  # define DNS and Directory Services events in the DNS Client channel
  - name: Microsoft-Windows-DNS-Client/Operational
    event_id: 3008, 3020

  # define External Media Detection events
  - name: Microsoft-Windows-Kernel-PnP/Device Configuration
    event_id: 400, 410

  # define Group Policy Errors events
  - name: Microsoft-Windows-GroupPolicy
    event_id: 1126, 1129, 112

  # define Kernel Driver Signing events in the System channel
  - name: System
    event_id: 219

  # define Kernel Driver Signing events in the Security channel
  - name: Security
    event_id: 5038, 6281

  # define Kernel Driver Signing events in the CodeIntegrity channel
  - name: Microsoft-Windows-CodeIntegrity/Operational
    event_id: 3001, 3002, 3003, 3004, 3010, 3023

  # define Microsoft Cryptography API events
  - name: Microsoft-Windows-CAPI2/Operational
    event_id: 11, 70, 90

  # define Mobile Device Activities events in NetworkProfile
  - name: Microsoft-Windows-NetworkProfile/Operational
    event_id: 10000, 10001

  # define Mobile Device Activities events in WLAN AutoConfig
  - name: Microsoft-Windows-WLAN-AutoConfig/Operational
    event_id: 8003, 8000, 8011, 8001, 11000, 11001, 11002, 12011, 12012, 12013, 8002, 11004, 11005, 11010, 11006

  # define Network Host Activities events in the Security channel
  - name: Security
    event_id: 4714, 4713, 4769, 6273, 6275, 6274, 6272, 6278, 6277, 6279, 6276, 6280, 5140, 5145, 5142, 5144, 4706, 4897, 4719, 4716, 4779, 4778, 5632

  # define Network Host Activities events in RDP Operational channel
  - name: Microsoft-Windows-TerminalServices-RDPClient/Operational
    event_id: 1024

  # define Network Host Activities events in RemoteAccess channel
  - name: Microsoft-Windows-MPRMSG
    event_id: 20250, 20274, 20275

  # define PowerShell Activities events in PS Operational Channel
  - name: Microsoft-Windows-Powershell/Operational
    event_id: 4103, 4104, 4105, 4106

  # define PowerShell Activities events
  - name: Powershell
    event_id: 800, 169

  # define Printing Services events
  - name: Microsoft-Windows-PrintService/Operational
    event_id: 307

  # define Software Service Installation events in Program-Inventory
  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 903, 904, 907, 908, 800, 905, 906

  # define Software Service Installation events in Application channel
  - name: Microsoft-Windows-Application-Experience/Program-Inventory
    event_id: 1022, 1033

  # define Software Service Installation events in System channel
  - name: System
    event_id: 6, 7045, 7000, 19

  # define System Integrity events in Security channel
  - name: Security
    event_id: 4657, 4616

  # define System Integrity events in System channel
  - name: System
    event_id: 1

  # define System Or Service Failures events
  - name: System
    event_id: 7022, 7023, 7024, 7026, 7031, 7032, 7034

  # define Task Scheduler Activities events
  - name: Microsoft-Windows-TaskScheduler/Operational
    event_id: 106, 141, 142, 200

  # define WindowsDefenderActivities events
  - name: Microsoft-Windows-Windows Defender/Operational
    event_id: 1008, 1006, 1116, 1010, 2003, 2001, 1009, 1118, 1119, 1007, 1117, 3002, 2004, 1005, 5008

  # define Windows Firewall events
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    event_id: 2009, 2004, 2005, 2006, 2033

  # define Windows Update Errors in Setup channel
  - name: Microsoft-Windows-Servicing
    event_id: 1009

  # define Windows Update Errors events
  - name: Microsoft-Windows-WindowsUpdateClient/Operational
    event_id:  20, 24, 25, 31, 34, 35

YMMV! Your mileage may vary.

YAML config for events from the Windows 10 and Windows Server 2016 Security auditing and monitoring reference

Fri, 05 Feb 2021 00:00:00 +0000

Based on “Windows 10 and Windows Server 2016 Security auditing and monitoring reference”.

winlogbeat.event_logs:
  - name: Security
    processors:
      - drop_event.when.not.or:
        - equals.winlog.event_id: 4627
        - equals.winlog.event_id: 4703
        - equals.winlog.event_id: 4704
        - equals.winlog.event_id: 4705
        - equals.winlog.event_id: 4720
        - equals.winlog.event_id: 4737
        - equals.winlog.event_id: 4738
        - equals.winlog.event_id: 4739
        - equals.winlog.event_id: 4780
        - equals.winlog.event_id: 4781
        - equals.winlog.event_id: 4782
        - equals.winlog.event_id: 4793
        - equals.winlog.event_id: 4794
        - equals.winlog.event_id: 4798
        - equals.winlog.event_id: 4799
        - equals.winlog.event_id: 5376
        - equals.winlog.event_id: 5377
    #Account Logon related events
        - equals.winlog.event_id: 4774
        - equals.winlog.event_id: 4776
        - equals.winlog.event_id: 4775
        - equals.winlog.event_id: 4776
        - equals.winlog.event_id: 4777
    #Audit Application Group Management and other
        - equals.winlog.event_id: 4783
        - equals.winlog.event_id: 4784
        - equals.winlog.event_id: 4785
        - equals.winlog.event_id: 4786
        - equals.winlog.event_id: 4787
        - equals.winlog.event_id: 4788
        - equals.winlog.event_id: 4789
        - equals.winlog.event_id: 4790
        - equals.winlog.event_id: 4783
        - equals.winlog.event_id: 4784
        - equals.winlog.event_id: 4792
        - equals.winlog.event_id: 4791
        - equals.winlog.event_id: 4792
        #Success logging enabled
        - equals.winlog.event_id: 4741
        - equals.winlog.event_id: 4742
        - equals.winlog.event_id: 4743
        #Audit Distribution Group Management
        - equals.winlog.event_id: 4749
        - equals.winlog.event_id: 4750
        - equals.winlog.event_id: 4751
        - equals.winlog.event_id: 4752
        - equals.winlog.event_id: 4753
        - equals.winlog.event_id: 4759
        - equals.winlog.event_id: 4760
        - equals.winlog.event_id: 4761
        - equals.winlog.event_id: 4762
        - equals.winlog.event_id: 4763
        - equals.winlog.event_id: 4744
        - equals.winlog.event_id: 4745
        - equals.winlog.event_id: 4746
        - equals.winlog.event_id: 4747
        - equals.winlog.event_id: 4748
        #Audit Security Group Management and Other Account Management Events
        - equals.winlog.event_id: 4782
        - equals.winlog.event_id: 4793
        - equals.winlog.event_id: 4727
        - equals.winlog.event_id: 4728
        - equals.winlog.event_id: 4729
        - equals.winlog.event_id: 4730
        - equals.winlog.event_id: 4731
        - equals.winlog.event_id: 4732
        - equals.winlog.event_id: 4733
        - equals.winlog.event_id: 4734
        - equals.winlog.event_id: 4735
        - equals.winlog.event_id: 4737
        - equals.winlog.event_id: 4754
        - equals.winlog.event_id: 4755
        - equals.winlog.event_id: 4756
        - equals.winlog.event_id: 4758
        - equals.winlog.event_id: 4764
        - equals.winlog.event_id: 4799
        #Audit User Account Management
        - equals.winlog.event_id: 4720
        - equals.winlog.event_id: 4722
        - equals.winlog.event_id: 4723
        - equals.winlog.event_id: 4724
        - equals.winlog.event_id: 4725
        - equals.winlog.event_id: 4726
        - equals.winlog.event_id: 4767
        - equals.winlog.event_id: 4780
        - equals.winlog.event_id: 4781
        - equals.winlog.event_id: 4794
        - equals.winlog.event_id: 4798
        - equals.winlog.event_id: 5376
        - equals.winlog.event_id: 5377
        - equals.winlog.event_id: 4723
        - equals.winlog.event_id: 4766
        - equals.winlog.event_id: 4794
        #Audit DPAPI Activity
        - equals.winlog.event_id: 4692
        - equals.winlog.event_id: 4693
        - equals.winlog.event_id: 4694
        - equals.winlog.event_id: 4695
        #Audit PNP Activity
        - equals.winlog.event_id: 6416
        - equals.winlog.event_id: 6419
        - equals.winlog.event_id: 6420
        - equals.winlog.event_id: 6421
        - equals.winlog.event_id: 6422
        - equals.winlog.event_id: 6423
        - equals.winlog.event_id: 6424
        #Audit process creation and termination.
        - equals.winlog.event_id: 4688
        - equals.winlog.event_id: 4696
        - equals.winlog.event_id: 4689
        #Audit RPC
        - equals.winlog.event_id: 5712
        #Audit Detailed Directory Service Replication
        - equals.winlog.event_id: 4928
        - equals.winlog.event_id: 4929
        - equals.winlog.event_id: 4930
        - equals.winlog.event_id: 4931
        - equals.winlog.event_id: 4934
        - equals.winlog.event_id: 4935
        - equals.winlog.event_id: 4936
        - equals.winlog.event_id: 4937
        #Audit Directory Access
        - equals.winlog.event_id: 4661
        - equals.winlog.event_id: 4662
        #Audit Directory Service Changes
        - equals.winlog.event_id: 5136
        - equals.winlog.event_id: 5137
        - equals.winlog.event_id: 5138
        - equals.winlog.event_id: 5139
        - equals.winlog.event_id: 5141
        #Audit Directory Service Replication
        - equals.winlog.event_id: 4932
        - equals.winlog.event_id: 4933
        #Audit group membership
        - equals.winlog.event_id: 4627
        #Audit network policy server
        - equals.winlog.event_id: 6272
        - equals.winlog.event_id: 6273
        - equals.winlog.event_id: 6274
        - equals.winlog.event_id: 6275
        - equals.winlog.event_id: 6276
        - equals.winlog.event_id: 6277
        - equals.winlog.event_id: 6278
        - equals.winlog.event_id: 6279
        - equals.winlog.event_id: 6280
        #Audit other logon and logoff events
        - equals.winlog.event_id: 4649
        - equals.winlog.event_id: 4778
        - equals.winlog.event_id: 4779
        - equals.winlog.event_id: 4964
        - equals.winlog.event_id: 4672
        #Audit application generated
        - equals.winlog.event_id: 4665
        - equals.winlog.event_id: 4666
        - equals.winlog.event_id: 4667
        - equals.winlog.event_id: 4668
        #Audit certification services
        - equals.winlog.event_id: 4868
        - equals.winlog.event_id: 4869
        - equals.winlog.event_id: 4870
        - equals.winlog.event_id: 4871
        - equals.winlog.event_id: 4872
        - equals.winlog.event_id: 4873
        - equals.winlog.event_id: 4874
        - equals.winlog.event_id: 4875
        - equals.winlog.event_id: 4876
        - equals.winlog.event_id: 4877
        - equals.winlog.event_id: 4878
        - equals.winlog.event_id: 4879
        - equals.winlog.event_id: 4880
        - equals.winlog.event_id: 4881
        - equals.winlog.event_id: 4882
        - equals.winlog.event_id: 4883
        - equals.winlog.event_id: 4884
        - equals.winlog.event_id: 4885
        - equals.winlog.event_id: 4886
        - equals.winlog.event_id: 4887
        - equals.winlog.event_id: 4888
        - equals.winlog.event_id: 4889
        - equals.winlog.event_id: 4890
        - equals.winlog.event_id: 4891
        - equals.winlog.event_id: 4892
        - equals.winlog.event_id: 4893
        - equals.winlog.event_id: 4894
        - equals.winlog.event_id: 4895
        - equals.winlog.event_id: 4896
        - equals.winlog.event_id: 4897
        - equals.winlog.event_id: 4898
        #Audit file share
        - equals.winlog.event_id: 5140
        - equals.winlog.event_id: 5142
        - equals.winlog.event_id: 5143
        - equals.winlog.event_id: 5144
        - equals.winlog.event_id: 5145
        - equals.winlog.event_id: 5168
        #Audit file system
        - equals.winlog.event_id: 4656
        - equals.winlog.event_id: 4658
        - equals.winlog.event_id: 4660
        - equals.winlog.event_id: 4663
        - equals.winlog.event_id: 4664
        - equals.winlog.event_id: 4670
        - equals.winlog.event_id: 4985
        - equals.winlog.event_id: 5051
        #Audit filtering platform connection
        - equals.winlog.event_id: 5145
        - equals.winlog.event_id: 5156
        - equals.winlog.event_id: 5158
        - equals.winlog.event_id: 5031
        - equals.winlog.event_id: 5150
        - equals.winlog.event_id: 5151
        - equals.winlog.event_id: 5155
        - equals.winlog.event_id: 5157
        - equals.winlog.event_id: 5159
        #Audit handle manipulation
        - equals.winlog.event_id: 4658
        - equals.winlog.event_id: 4690
        #Audit kernel object
        - equals.winlog.event_id: 4656
        - equals.winlog.event_id: 4658
        - equals.winlog.event_id: 4660
        - equals.winlog.event_id: 4663
          #Audit other object access events
        - equals.winlog.event_id: 4671
        - equals.winlog.event_id: 4691
        - equals.winlog.event_id: 4698
        - equals.winlog.event_id: 4699
        - equals.winlog.event_id: 4700
        - equals.winlog.event_id: 4701
        - equals.winlog.event_id: 4702
        - equals.winlog.event_id: 5888
        - equals.winlog.event_id: 5889
        - equals.winlog.event_id: 5890
        - equals.winlog.event_id: 5148
        - equals.winlog.event_id: 5149
        #Audit registry
        - equals.winlog.event_id: 4663
        - equals.winlog.event_id: 4656
        - equals.winlog.event_id: 4658
        - equals.winlog.event_id: 4660
        - equals.winlog.event_id: 4657
        - equals.winlog.event_id: 5039
        - equals.winlog.event_id: 4670
        #Audit policy change
        - equals.winlog.event_id: 4818
        - equals.winlog.event_id: 4715
        - equals.winlog.event_id: 4719
        - equals.winlog.event_id: 4817
        - equals.winlog.event_id: 4902
        - equals.winlog.event_id: 4904
        - equals.winlog.event_id: 4905
        - equals.winlog.event_id: 4906
        - equals.winlog.event_id: 4908
        - equals.winlog.event_id: 4912
        #Audit authentication policy change
        - equals.winlog.event_id: 4670
        - equals.winlog.event_id: 4706
        - equals.winlog.event_id: 4707
        - equals.winlog.event_id: 4713
        - equals.winlog.event_id: 4716
        - equals.winlog.event_id: 4718
        - equals.winlog.event_id: 4739
        - equals.winlog.event_id: 4864
        - equals.winlog.event_id: 4865
        - equals.winlog.event_id: 4866
        - equals.winlog.event_id: 4867
        #Audit Kerberos
        - equals.winlog.event_id: 4768
        - equals.winlog.event_id: 4771
        - equals.winlog.event_id: 4772
        #Audit authorization policy change
        - equals.winlog.event_id: 4703
        - equals.winlog.event_id: 4704
        - equals.winlog.event_id: 4705
        - equals.winlog.event_id: 4670
        - equals.winlog.event_id: 4911
        - equals.winlog.event_id: 4913
        #Audit MPSSVC rule-level policy change
        - equals.winlog.event_id: 4944
        - equals.winlog.event_id: 4945
        - equals.winlog.event_id: 4946
        - equals.winlog.event_id: 4947
        - equals.winlog.event_id: 4948
        - equals.winlog.event_id: 4949
        - equals.winlog.event_id: 4950
        - equals.winlog.event_id: 4954
        - equals.winlog.event_id: 4956
        - equals.winlog.event_id: 4951
        - equals.winlog.event_id: 4952
        - equals.winlog.event_id: 4953
        - equals.winlog.event_id: 4957
        - equals.winlog.event_id: 4958
        #Audit other policy change events
        - equals.winlog.event_id: 4714
        - equals.winlog.event_id: 4819
        - equals.winlog.event_id: 4826
        - equals.winlog.event_id: 4909
        - equals.winlog.event_id: 4910
        - equals.winlog.event_id: 5063
        - equals.winlog.event_id: 5064
        - equals.winlog.event_id: 5065
        - equals.winlog.event_id: 5066
        - equals.winlog.event_id: 5067
        - equals.winlog.event_id: 5068
        - equals.winlog.event_id: 5069
        - equals.winlog.event_id: 5070
        - equals.winlog.event_id: 5447
        - equals.winlog.event_id: 6144
        - equals.winlog.event_id: 6145
        #Audit priviledge Use
        - equals.winlog.event_id: 4673
        - equals.winlog.event_id: 4674
        - equals.winlog.event_id: 4985
        #Audit other system events - Windows Firewall service, branchcache, key file operation
        - equals.winlog.event_id: 5024
        - equals.winlog.event_id: 5025
        - equals.winlog.event_id: 6400
        - equals.winlog.event_id: 6401
        - equals.winlog.event_id: 6402
        - equals.winlog.event_id: 6403
        - equals.winlog.event_id: 6404
        - equals.winlog.event_id: 6405
        - equals.winlog.event_id: 6406
        - equals.winlog.event_id: 6407
        - equals.winlog.event_id: 6408
        - equals.winlog.event_id: 6409
        - equals.winlog.event_id: 4673
        - equals.winlog.event_id: 4674
        - equals.winlog.event_id: 4985
        - equals.winlog.event_id: 5033
        - equals.winlog.event_id: 5034
        - equals.winlog.event_id: 5058
        - equals.winlog.event_id: 5059
        - equals.winlog.event_id: 5027
        - equals.winlog.event_id: 5028
        - equals.winlog.event_id: 5029
        - equals.winlog.event_id: 5030
        - equals.winlog.event_id: 5032
        - equals.winlog.event_id: 5035
        - equals.winlog.event_id: 5037
        #Audit Security system extension
        - equals.winlog.event_id: 4610
        - equals.winlog.event_id: 4611
        - equals.winlog.event_id: 4614
        - equals.winlog.event_id: 4622
        - equals.winlog.event_id: 4697
        #Audit system integrity
        - equals.winlog.event_id: 4612
        - equals.winlog.event_id: 4615
        - equals.winlog.event_id: 4618
        - equals.winlog.event_id: 4816
        - equals.winlog.event_id: 5056
        - equals.winlog.event_id: 5062
        - equals.winlog.event_id: 5061
        - equals.winlog.event_id: 5038
        - equals.winlog.event_id: 5057
        - equals.winlog.event_id: 5060
        - equals.winlog.event_id: 6281
        - equals.winlog.event_id: 6410
        #Audit other log related events
        - equals.winlog.event_id: 1102
        - equals.winlog.event_id: 1104
        - equals.winlog.event_id: 1105
        - equals.winlog.event_id: 1108
        #Audit SAM
        - equals.winlog.event_id: 4661

YMMV! Your mileage may vary.