[German]How to configure the event viewer in Windows so that it can be used for audits and security monitoring. Someone has written a PowerShell tool for this purpose.
Advertising
I came across this approach through the following tweet by security researcher Nicolas Krassas.
Audix – A PowerShell Tool To Quickly Configure The Windows Event Audit Policies For Security Monitoring https://t.co/Edsny9xkZf
— Nicolas Krassas (@Dinosn) April 12, 2020
Windows audit policies are restricted by default. This means that for Incident Responders, Blue Teamers, CISO's & people who want to monitor their environment using Windows event logs, the audit policy settings must be configured to enable advanced logging.
The PowerShell tool Audix aims to capture the current audit policy setting, perform a backup of it (in case a restore to previous state is required) and apply an advanced audit policy setting to enable better security monitoring with improved detection capability.
In addition, it will enforce audit policy subcategories to ensure that these advanced settings are maintained. There is also a setting to adjust the log size limit. The whole thing is available for free on GitHub. Maybe this information will be helpful to one of you.
Advertising
