Asi configuring-windows-event-logging-for-detection
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/configuring-windows-event-logging-for-detection" ~/.claude/skills/plurigrid-asi-configuring-windows-event-logging-for-detection && rm -rf "$T"
manifest:
plugins/asi/skills/configuring-windows-event-logging-for-detection/SKILL.mdsource content
Configuring Windows Event Logging for Detection
When to Use
Use this skill when:
- Configuring Windows Advanced Audit Policy for security monitoring
- Enabling process creation auditing with command line logging (Event 4688)
- Setting up logon/logoff auditing for authentication monitoring
- Sizing event log storage and forwarding to SIEM platforms
Do not use for Sysmon configuration (separate skill) or Linux audit logging.
Prerequisites
- Windows Server or Windows 10/11 systems with Group Policy management access
- Active Directory environment with Group Policy Object (GPO) creation privileges
- SIEM platform configured to receive Windows Event Log forwarding
- Understanding of Windows security event IDs and audit categories
Workflow
Step 1: Configure Advanced Audit Policy via GPO
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies Recommended settings: Account Logon: - Audit Credential Validation: Success, Failure - Audit Kerberos Authentication: Success, Failure Account Management: - Audit Security Group Management: Success - Audit User Account Management: Success, Failure Logon/Logoff: - Audit Logon: Success, Failure - Audit Logoff: Success - Audit Special Logon: Success - Audit Other Logon/Logoff Events: Success, Failure Object Access: - Audit File Share: Success, Failure - Audit Removable Storage: Success, Failure - Audit SAM: Success Policy Change: - Audit Audit Policy Change: Success, Failure - Audit Authentication Policy Change: Success Privilege Use: - Audit Sensitive Privilege Use: Success, Failure Detailed Tracking: - Audit Process Creation: Success - Audit DPAPI Activity: Success, Failure
Step 2: Enable Command Line in Process Creation Events
# Registry: Enable command line logging in Event 4688 New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" ` -Name ProcessCreationIncludeCmdLine_Enabled -Value 1 -PropertyType DWORD -Force # GPO: Computer Configuration → Administrative Templates → System → Audit Process Creation # "Include command line in process creation events" → Enabled
Step 3: Configure Event Log Sizes
# Increase Security log to 1 GB (default 20 MB is insufficient) wevtutil sl Security /ms:1073741824 # Increase PowerShell Operational log wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:536870912 # Set log retention to overwrite as needed wevtutil sl Security /rt:false # Configure via GPO: # Computer Configuration → Administrative Templates → Windows Components # → Event Log Service → Security # Maximum log file size (KB): 1048576
Step 4: Configure Windows Event Forwarding (WEF)
# On collector server: wecutil qc /q # Create subscription for high-value events: # Event IDs: 4624 (logon), 4625 (failed logon), 4688 (process create), # 4672 (special privilege), 4720 (user created), 4728 (group membership), # 7045 (service installed), 1102 (log cleared) # On source endpoints (GPO): # Configure WinRM: winrm quickconfig # Configure event forwarding: Computer Configuration → Admin Templates # → Windows Components → Event Forwarding # Configure target Subscription Manager: Server=http://collector:5985/wsman/SubscriptionManager/WEC
Step 5: Key Event IDs for Detection
Authentication Events: 4624 - Successful logon (Type 2=Interactive, 3=Network, 10=RemoteInteractive) 4625 - Failed logon attempt 4648 - Logon using explicit credentials (RunAs, pass-the-hash indicator) 4672 - Special privileges assigned (admin logon) 4776 - NTLM credential validation Process Events: 4688 - Process creation (with command line if enabled) 4689 - Process termination Account Events: 4720 - User account created 4722 - User account enabled 4724 - Password reset attempted 4728 - Member added to security group 4732 - Member added to local group 4756 - Member added to universal group Service/System Events: 7045 - New service installed (persistence indicator) 1102 - Audit log cleared (evidence tampering) 4697 - Service installed in the system Lateral Movement Indicators: 4648 + 4624(Type 3) - Credential-based lateral movement 5140 - Network share accessed 5145 - Network share access check (detailed file share)
Key Concepts
| Term | Definition |
|---|---|
| Advanced Audit Policy | Granular audit subcategories (58 subcategories vs. 9 basic categories) |
| Event ID 4688 | Process creation event; essential for tracking execution on endpoints |
| WEF | Windows Event Forwarding; centralized log collection without third-party agents |
| Logon Type | Numeric code indicating authentication method (2=interactive, 3=network, 10=RDP) |
Tools & Systems
- Windows Event Forwarding (WEF): Built-in centralized log collection
- NXLog: Open-source log forwarding agent for Windows events
- Winlogbeat: Elastic Agent for shipping Windows event logs to Elasticsearch
- Palantir WEF Configuration: Open-source WEF subscription templates
Common Pitfalls
- Using basic audit policy instead of advanced: Basic and advanced audit policies conflict. Always use advanced audit policy exclusively.
- Default log size too small: 20 MB Security log fills in minutes on busy servers. Set minimum 1 GB.
- Missing command line logging: Event 4688 without command line content has minimal detection value. Always enable ProcessCreationIncludeCmdLine_Enabled.
- Not forwarding logs: Local event logs are lost when endpoints are wiped by ransomware. Forward to centralized SIEM immediately.