This repo contains guidance on setting up event logging. This guidance is broken up into sections, Defensive Readiness Condition (DEFCON), and intended to be applied from 5 (lowest) to 1 (highest).
Readiness State | Description | Readiness Condition Features |
---|---|---|
DEFCON 1 | Breach imminent or occurred | Forensic imaging; Blocking techinques/tools (Server, Workstation, and Network) |
DEFCON 2 | Enhanced Measures | Event Forwarding (Workstation); Threat Hunting |
DEFCON 3 | Heightened Measures | Event Forwarding (Member Servers/apps); Network Device logging; Sysmon/EDR |
DEFCON 4 | Increased Security Measures | Audit policies; Event Forwarding (Domain Controllers); Network Monitoring; Centralized logs |
DEFCON 5 | Default Configurations | Vanilla OS/App/Device logging; No centralized logs |
Initial work on this project will be focused on Windows.
- Microsoft Active Directory is being used
- PowerShell 5 is being used
- A Windows Server running Windows Event Collector (WEC) services can be reached by all logged Windows endpoints.
The scripts are designed to be run DEFCON 4 first followed by DEFCON 3 and then DEFCON 2. Each DEFCON has a script for making changes on a DC these scripts add extra functionality and increase visibility in your deployment. You should review these scripts carefully before running them as some of the changes are difficult to revert once made. DEFCON 3 also contains a script for installing Sysmon for Windows. This script should be run from the DC as it will import a GPO used for deployment.
Before deployment, you will need to determine how many WECs you will require and their FQDN Hostname. These hosts should be configured as base Windows Server machines with all of the current updates Windows Server 2016 or higher is recommended. You will then convert the server into a WEC via the WEC-Configurator.ps1 script found in DEFCON4.
Change the following files before running the scripts.
- /DEFCON4/sites.csv - Populate site prefix and WEC FQDN.
- /DEFCON4/winlogbeat.yml - Only required if you plan to ship to an ELK stack. Replace the tags <LogstashIP>, <LogstashPort>, and <CompanyInit>
Once the files have been edited you can run the scripts on the respective host. The DC scripts will import GPOs. These GPOs must still be linked to the correct OU for the system to work. Suggested GPO links are below.
- SOC-$(SiteName)-Windows-Event-Forwarding : Link to OU for each site hosts in that OU will ship to respective WEC defined in /DEFCON4/sites.csv. This will be replicated for each row in the CSV.
- SOC-DC-Enhanced-Auditing : Link to OU Containing DC’s
- SOC-WS-Enhanced-Auditing : Link to the highest level with workstations
- SOC-Sysmon-Deployment : Link to the entire domain
- SOC-CMD-PS-Logging : Link to the entire domain
- SOC-Enable-WinRM : Link to the entire domain
- BHIS Webcasts | Youtube
GNUv3 - License