When it comes to securing Windows Systems, it doesn’t matter if you harden a Domain Controller, a server system or a client – one thing they all have in common:
There are baselines provided by Microsoft, which security settings should be applied for each system.
Amongst others, there are some audit recommendations included.
I often work with customers who just started building their Security Operations Center (SOC). Many customers are confused by the variety of Windows Events: which events should be monitored? Which events will be generated when a specific baseline is applied?
Writing down each event and monitoring recommendations would be a huge effort. That’s why I automated it and created EventList – I hope, it helps you, too!
To use EventList, Excel must be installed. Enable Macros to use its functionality.
All baselines which should be used and imported by EventList, should be downloaded, extracted and located under C:\tmp\.
When opening the EventList file, the ‘Import Baselines’ tab will be shown first.
1. Import Baselines
When the button Import Baselines is pressed, all baselines located under C:\tmp get imported. If you want to generate EventLists for baselines, this step is mandatory.
2. Generate EventList
Use the drop-down to choose the baseline for which you’d like to see all the corresponding events and click on Generate EventList for a baseline.
3. Review your Events
When a new EventList was generated from the drop-down, a new tab with the name of the baseline appears.
When you open then tab, you see all the information about the events that could be generated, if this baseline was configured for your systems.
You’ll see the event ID and there’s also a link included where you can find more information about the specific event.
4. Delete baselines or generated tables
If you want to delete a single baseline which was imported, select the baseline name from the drop-down and press Delete a single baseline. The baseline and the corresponding generated table will be removed from EventList.
If you just want to delete a generated table sheet, press Delete a generated table. The corresponding baseline will remain.
5. Delete all imported data
If you’re done and want to start over with fresh new data, delete all the imported and generated data with Delete all imported baselines. This will remove all imported and generated data.
Where can I download EventList?
EventList can be downloaded from my GitHub repository: miriamxyra\EventList
Where to get those Microsoft Security Baselines?
The Microsoft Security Baselines are part of the Security Compliance Toolkit, which can be downloaded here: Security Compliance Toolkit
Where can I find more information on those events?
- There’s a really good Word document published on Advanced Audit Setting events: Windows 10 and Windows Server 2016 security auditing and monitoring reference
- The Advanced security auditing FAQ provides similar good information, but published as web content