Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mdecrevoisier/Microsoft-eventlog-mindmap

Set of Mindmaps providing a detailed overview of the different #Microsoft auditing capacities for Windows, Exchange, Azure,...
https://github.com/mdecrevoisier/Microsoft-eventlog-mindmap

active-directory azure evtx exchange incident-response mindmap windows

Last synced: about 2 months ago
JSON representation

Set of Mindmaps providing a detailed overview of the different #Microsoft auditing capacities for Windows, Exchange, Azure,...

Host: GitHub
URL: https://github.com/mdecrevoisier/Microsoft-eventlog-mindmap
Owner: mdecrevoisier
License: bsd-2-clause
Created: 2021-08-27T12:43:55.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2024-05-01T20:40:47.000Z (9 months ago)
Last Synced: 2024-05-23T07:52:48.980Z (8 months ago)
Topics: active-directory, azure, evtx, exchange, incident-response, mindmap, windows
Homepage:
Size: 129 MB
Stars: 983
Watchers: 48
Forks: 180
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-event-ids - Windows Auditing Mindmap - Set of Mindmaps providing a detailed overview of the different Windows auditing capacities and event log files. (Resources / Event ID configuration and monitoring suggestions)
awesome-hacking-lists - mdecrevoisier/Microsoft-eventlog-mindmap - Set of Mindmaps providing a detailed overview of the different #Microsoft auditing capacities for Windows, Exchange, Azure,... (Others)

README

# Microsoft-eventlog-mindmap

## Project purpose
**Microsoft eventlog mindmap** provides an overview on well-known Microsoft products and solutions, as well as their auditing capacities. It enables defenders to enhance visibility on monitored environments for purposes like:
* Log collection (eg: into a SIEM)
* Threat hunting
* Incident response
* Forensic
* Troubleshooting

## Active mindmaps
The following mindmaps are currently provided (PDF/PNG/SVG formats):
* Windows OS auditing baseline
* Windows Server roles auditing (includes SQL Server and Advanced Threat Analytics)
* Active Directory (ADDS) auditing
* Exchange Server 2016/2019 auditing
* Exchange email forwarding hunting

# Windows OS event logs
This map provides an overview of the native Event logs shipped in Windows OS. They are classified into different categories (network, security, application,...) and their related auditing settings.
![](/windows-auditing-baseline-map/windows-auditing-baseline-map.png)

# Windows Server roles event logs
This map provides an overview of the different Event logs and auditing capacities provided by Windows Server roles (ADCS, DHCP, DNS, OCSP, IIS, NPS, ADFS, MSSQL, RDS...).
![](/windows-server-roles-map/windows-server-roles-map.png)

# Active Directory event logs
This map provides an overview of the different Event logs and auditing capacities provided by Active Directory (ADDS) role.
![](/active-directory-map/active-directory-map.png)

# Exchange Server 2016/2019 event logs
This map provides an overview of the different data sources provided by Exchange Server.
![](/exchange-server-map/exchange-server-map.png)

# Exchange email rule hunting
This map provides an overview of the different hunting capacities regarding Exchange email compromise rules abused in BEC attacks.
![](/exchange-email-compromise-map/exchange-email-compromise.png)