SIEM, Winlogbeat and Windows Auditing

elvarb · May 27, 2020, 2:04pm

I'm testing the SIEM solution along with Winlogbeat to send event logs and sysmon logs.

When viewing the premade alerts, dashboards and more I feel like certain events should be there but do not show. For example starting powershell and executing cmd.exe and then starting tasklist. These should create at least two alerts according to the configured alerts and even using the query to search for all instances of powershell processes I can't seem to find any.

I am guessing this is because of the current audit policy on the machine not being configured to audit the specific things needed.

So this leads me to the question, how should Windows Auditing be configured to make best use of the platform?

system · June 24, 2020, 2:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Andre_Letterer · July 11, 2020, 11:31pm

Hi Elvar,

in System or Application event log you won't find such information out of the box.
You need to configure Sysmon for this information.
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-module-sysmon.html
With having Sysmon on board and configuring the module in winlogbeat.yml you will get the information into elasticsearch.

I hope that helps.

Topic		Replies	Views
SIEM doesn't show any Winlogbeat events, despite ES receiving them SIEM	12	3487	May 8, 2020
Auditbeat compared to Winlogbeat, Metricbeat SIEM	5	1721	September 16, 2020
Auditbeat vs Winlogbeat Beats auditbeat	3	2247	August 1, 2019
SIEM not ingesting Windows logs from servers SIEM	8	1456	July 31, 2019
Winlogbeat not writing all events to Elasticsearch Elasticsearch	3	342	August 31, 2020

SIEM, Winlogbeat and Windows Auditing

Related topics