Optimizing Windows Security Audit Settings
When I first started my journey in cybersecurity, I was tasked with creating an environment and simulating primitive examples of cyberattacks to trigger rules on a SIEM. After setting everything up and running some tests, I quickly realized that I didn’t have the necessary logs to build the required rules. This presented a challenge for me, and so my journey began.
I was already familiar with Sysmon, and there’s a great project by Olaf Hartong called Sysmon Modular (https://github.com/olafhartong/sysmon-modular), a comprehensive Sysmon configuration repository that I began working with. However, at one point, I started thinking — what about native Windows logging?
There is a wealth of information available in the Microsoft documentation (https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings), and there’s also a very useful project created by Michel de Crevoisier (https://github.com/mdecrevoisier/Windows-auditing-baseline). Inspired by Michel’s work, I rebuilt his provided Excel file with some custom settings based on my own experience and research. I also added Sigma rules for each event and brief description.
To always get the current number of available Sigma rules for each Event ID and categorize them by severity level, I recommend using the Hayabusa tool (https://github.com/Yamato-Security/hayabusa) along with a custom script available on my GitHub project page (https://github.com/celeroon/win-audit-policy-settings).
I also want to highlight that Hayabusa is a powerful tool for Windows log forensics and threat hunting. If you’re interested in this field, it’s worth investing some time to learn about it. In my case, it has been very valuable for keeping Sigma rules updated (Hayabusa also creates its own rules, which are useful and frequently updated).
The suggestions in this project are based on my research from Microsoft documentation and other sources. You can access the Excel sheet by visiting the project GitHub page or directly through OneDrive at https://1drv.ms/x/s!Aq8mUjPGWpnIjfhczbceN-J1qHXdKQ?e=cGaksE
