Awesome Event IDs
In incidents, analysts are often faced with the problem of interpreting unknown event IDs. The event itself does not always contain the desired information. In addition, it is impossible to remember them all, given the huge number of event IDs and log sources.
Contents
- Event ID databases
- Event ID documentation
- Event ID configuration and monitoring suggestions
- Event ID analysis
Resources
Event ID databases
- EventID.net – Database
- MyEventlog.com – Database
- EventTracker Knowledgebase – Database
Event ID documentation
- Kaspersky Security for Microsoft Exchange – Official resource
- Microsoft Defender Antivirus – Official resource
- Microsoft Windows Security Auditing – Official resource
- Microsoft Windows Security Auditing by Randy Franklin Smith – Better known as Ultimate Windows Security
- Noteable Event IDs – Collection of common event IDs with descriptions
- Sysmon – Official resource
Read about the digital forensics skillset
Event ID configuration and monitoring suggestions
- General
- SIEM Tactics, Techiques, and Procedures – Comprehensive SIEM resources be TonyPhipps
- PowerShell
- Security Auditing
- Command line process auditing – Enable 4688 featuring command line
- Events to monitor – Official resource
- Monitoring gguidance – Event monitoring guidance from JSCU (Joint SIGINT Cyber Unit) from Netherlands. With volume estimates, and WEC/WEF configurations.
- Malware Archeology Windows Logging Cheat Sheet
- Malware Archeology Advanced Windows Logging Cheat Sheet
- Malware Archeology Splunk Logging Cheat Sheet – about specific exclusions to avoid getting noise from the Splunk Universal Forwarder agent.
- Malware Archeology File Auditing Cheat Sheet
- Malware Archeology Registry Auditing Cheat Sheet
- Malware Archeology ATT&CK Logging Cheat Sheet – From 2018.
- US NSA Spotting the Adversary with Windows Event Log Monitoring – Covers quite a lot of ground.
- US NSA Event Forwarding Guidance – Companion repository with WEF configurations, scripts to configure WEF, and WEB subscriptions in XML format.
- UK NCSC – Logging Made Easy WEC (Windows Event Collection) configuration file
- Windows Security Monitoring – Policy & Event IDs – Spreadsheet with recommendations sorted by system functions
- EventID Policy Map – Spreadsheet with policy map as well as reference collection
- Sysmon
- Configuration by SwiftOnSecurity – Configuration file template with default high-quality event tracing
- Fork of SwiftOnSecurity by Neo23x0 Florian ROTH – Same as above, with all PR
- Configuration by olafhartong – A repository of Sysmon configuration modules
- Malware Archeology Sysmon Logging Cheat Sheet
- Configuration by SwiftOnSecurity – Configuration file template with default high-quality event tracing
Event ID analysis
- General
- EVTX Attack Samples – EVTX samples recorded during attack simulations by sbousseaden
- Tool Analysis Result Sheet – Logs analyzed after tool execution by JPCERT
- EvtxECmd Map Repository – Maps used by Eric Zimmerman’s EvtxECmd which provide examples of Event IDs with documentation, lookup tables, and important values within each respective event ID which are parsed by EvtxECmd using the associated Map
- RDP
- RDP Logon / Logoff events 1 – RDP event chain by Jonathon Poling
- RDP Logon / Logoff events 2 – RDP deep dive on 1149 by Mike Cary
Contributing
This repo is dedicated to everything that has an event ID and the knowledge about it. Please ask yourself before submitting a PR if it really fits to this. In particular, please do not contribute tools, as these are already comprehensively summarized in the following great repositories.