The goal of this project is to gather all Security Event IDs in a JSON file and add connections to GPO settings. The end result allows you to filter on a each GPO setting and display all Event IDs produced by it. Additionally, tags were applied to each event ID per the advice of Microsoft or other security firms (See tags section for more informations).
You can find in the root folder :
- Categories folder which contains each Advanced Audit policy settings categories and Event IDs
- AdvancedSecurityEventIDs.json (Categories combined in one Json file)
- AdvancedSecurityEventIDs.csv (Json to Csv)
You can divide or combine Json files using the scripts in the Scripts folder.
Below the descriptions of each tag and the source of the recommendation :
- JSCU-NL = All events from https://github.com/JSCU-NL/logging-essentials/blob/main/WindowsEventLogging.adoc based on multiple sources (https://github.com/JSCU-NL/logging-essentials#sources--additional-links)
- SRV-ETM = From Events to Monitor recommandation by Microsoft
- YAMATO = Each event with rules or Not Yet from Yamato repositories
- MDE = All events from Olaf Hartung defender analysis post
- ANSSI = From ANSSI-FR selection
- MDI = From MDI
- SENTINEL = From sentinel/windows-security-event-id-reference
- ADSECURITY = From AD Security blog
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
- https://ela.st/tjs-winevt-auditing
- https://github.com/JSCU-NL/logging-essentials
- https://github.com/mdecrevoisier/Splunk-input-windows-baseline/blob/main/splunk-windows-input/win_input.conf
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.
This project is open source and available under the MIT License.