sysmon-config icon indicating copy to clipboard operation
sysmon-config copied to clipboard
verified publisher icon SwiftOnSecurity

Where are Windows Event ID???

Open piExpr opened this issue 1 year ago • 1 comments

Started logging events and modifying config. All these events are Sysmon event IDs. Is there proper configuration to use to include Windows actual Event IDs instead of Sysmon? My use cases for SIEM search are trigger alerts based on Windows Event IDs not Sysmon's own version of Eevent ID like 1, 2, 3, 4, 5,11... etc. I'm in need of collecting actual events that are windows generated Event IDs.

Am I the only one asking this or has there been a thread about this?

piExpr avatar Jun 25 '24 12:06 piExpr

Sysmon is designed for enhanced Windows auditing. It is separate from the built-in Windows auditing.

Read more about Sysmon here:

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#introduction

You can view how to enable auditing for specific Windows Event IDs:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-audit-policy-settings

mundolicki avatar Aug 13 '24 23:08 mundolicki