https://github.com/qbrusa/Windows-Security-Event-ID-Helper

This repository provide a json file for all Windows security Event IDs with lot of useful informations (Categories, GPO, Volume, Recommandations).
https://github.com/qbrusa/Windows-Security-Event-ID-Helper

audit eventid events logging security windows

Last synced: about 2 months ago
JSON representation

This repository provide a json file for all Windows security Event IDs with lot of useful informations (Categories, GPO, Volume, Recommandations).

• Host: GitHub
• URL: https://github.com/qbrusa/Windows-Security-Event-ID-Helper
• Owner: qbrusa
• License: mit
• Created: 2023-01-19T21:30:50.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2023-03-02T22:42:07.000Z (almost 2 years ago)
• Last Synced: 2024-08-04T02:07:50.754Z (5 months ago)
• Topics: audit, eventid, events, logging, security, windows
• Language: PowerShell
• Homepage:
• Size: 185 KB
• Stars: 8
• Watchers: 3
• Forks: 1
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-event-ids - Windows Security Event ID Helper - [_Work in progress_] Will allow you to filter on each GPO setting and display all Event IDs produced by it. (Resources / Event ID analysis)

README

        
# Windows Security Event ID Helper

The goal of this project is to gather all Security Event IDs in a JSON file and add connections to GPO settings. The end result allows you to filter on a each GPO setting and display all Event IDs produced by it. Additionally, tags were applied to each event ID per the advice of Microsoft or other security firms (See tags section for more informations). 

# Files

You can find in the root folder :

- [Categories](Categories) folder which contains each Advanced Audit policy settings categories and Event IDs

- [AdvancedSecurityEventIDs.json](AdvancedSecurityEventIDs.json) (Categories combined in one Json file)

- [AdvancedSecurityEventIDs.csv](AdvancedSecurityEventIDs.csv) (Json to Csv)

# Scripts

You can divide or combine Json files using the scripts in the [Scripts](Scripts) folder.

        

# Tags

Below the descriptions of each tag and the source of the recommendation :

- JSCU-NL = All events from https://github.com/JSCU-NL/logging-essentials/blob/main/WindowsEventLogging.adoc based on multiple sources (https://github.com/JSCU-NL/logging-essentials#sources--additional-links)

- SRV-ETM = From [Events to Monitor recommandation by Microsoft](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor)

- YAMATO = Each event with rules or Not Yet from [Yamato repositories](https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/main/ConfiguringSecurityLogAuditPolicies.md)

- MDE = All events from Olaf Hartung [defender analysis post](https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x02-audit-settings-and-telemetry-1d0af3ebfb27)

- ANSSI = From [ANSSI-FR selection](https://github.com/ANSSI-FR/guide-journalisation-microsoft/blob/main/Standard_WEC_query.xml)

- MDI = From [MDI](https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection)

- SENTINEL = From [sentinel/windows-security-event-id-reference](https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference)

- ADSECURITY = From [AD Security blog](https://adsecurity.org/?p=3299)

# Sources to build this project

- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings

- https://ela.st/tjs-winevt-auditing

- https://github.com/JSCU-NL/logging-essentials

- https://github.com/mdecrevoisier/Splunk-input-windows-baseline/blob/main/splunk-windows-input/win_input.conf 

# 🍰 Contributing    

Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are **greatly appreciated**.

# License

This project is open source and available under the [MIT License](LICENSE).