Configure Windows Event Viewer for audits and security monitoring using the PowerShell tool

[German]How to configure the event viewer in Windows so that it can be used for audits and security monitoring. Someone has written a PowerShell tool for this purpose.


Advertising

I came across this approach through the following tweet by security researcher Nicolas Krassas.

Windows audit policies are restricted by default. This means that for Incident Responders, Blue Teamers, CISO’s & people who want to monitor their environment using Windows event logs, the audit policy settings must be configured to enable advanced logging.

The PowerShell tool Audix aims to capture the current audit policy setting, perform a backup of it (in case a restore to previous state is required) and apply an advanced audit policy setting to enable better security monitoring with improved detection capability.

In addition, it will enforce audit policy subcategories to ensure that these advanced settings are maintained. There is also a setting to adjust the log size limit. The whole thing is available for free on GitHub. Maybe this information will be helpful to one of you.


Advertising


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *