SIEM, Winlogbeat and Windows Auditing

I'm testing the SIEM solution along with Winlogbeat to send event logs and sysmon logs.

When viewing the premade alerts, dashboards and more I feel like certain events should be there but do not show. For example starting powershell and executing cmd.exe and then starting tasklist. These should create at least two alerts according to the configured alerts and even using the query to search for all instances of powershell processes I can't seem to find any.

I am guessing this is because of the current audit policy on the machine not being configured to audit the specific things needed.

So this leads me to the question, how should Windows Auditing be configured to make best use of the platform?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Hi Elvar,

in System or Application event log you won't find such information out of the box.
You need to configure Sysmon for this information.
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html
With having Sysmon on board and configuring the module in winlogbeat.yml you will get the information into elasticsearch.

I hope that helps.