Windows-Event-Log-Monitoring

View this project on GitHub

This lab outlines the basics of using Sysmon, Windows Event Viewer, and PowerShell scripts to monitor and analyze Windows Event Logs for security incidents.

Tools

• Sysmon for detailed logging of system activities.
• Windows Event Viewer for visualizing and analyzing event logs.
• PowerShell scripts for querying and processing event logs.

Monitoring with Sysmon

Sysmon (System Monitor) is a Windows system service and device driver that logs system activity of Windows operating systems to the Windows Event Log. The following goes over some basic Sysmon queries in PowerShell with the Get-WinEvent cmdlet that can be used to monitor and analyze activities on Windows systems configured with Sysmon.

1. List All Sysmon Events

2. List All Network Connection Events

3. List All Process Creation Events

4. List Events for New Files Created

5. List Events for File Modifications

6. Monitor for Remote Thread Creation

7. Monitor for Changes to the Registry

8. List Failed Logon Attempts

10. List Successful Logon Events

Monitoring with Windows Event Viewer

1. Monitor Failed Login Attempts

2. Monitor Successful Logins

3. Look for Special Privileges Assigned to New Logon

Monitoring with PowerShell Scripts

1. Monitor Failed Login Attempts

2. Monitor Successful Logins

3. Monitor New Process Creation Events