@kn450 Critical for detecting login attempts, privilege escalation, and account changes (e.g., Event IDs 4624, 4648, 4672, 4720). Filter out noisy events like 4663 (file access audits) unless speci...
See more...
@kn450 Critical for detecting login attempts, privilege escalation, and account changes (e.g., Event IDs 4624, 4648, 4672, 4720). Filter out noisy events like 4663 (file access audits) unless specifically needed https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-collect-basic-Windows-OS-Event-Log-data-from-my-Windows/m-p/440187 https://community.splunk.com/t5/Splunk-Enterprise-Security/What-s-the-best-practice-to-configure-a-windows-system-to/m-p/467532 Refer this event codes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ Useful for system-level events like service changes or crashes (e.g., Event IDs 7036, 7045). Limit to high-value events to reduce volume. Avoiding Redundancy: Firewall logs provide network traffic visibility (e.g., source/destination IPs, ports, protocols). Avoid collecting redundant network data from endpoints (e.g., excessive DNS or connection logs) unless it provides unique context, like process-level details from Sysmon https://lantern.splunk.com/Data_Descriptors/Firewall_data WinRegistry and Service: These are high-volume sources. Limit to specific keys (e.g., Run keys, AppInit_DLLs) and events (e.g., new service creation) to avoid collecting redundant or low-value changes. https://www.splunk.com/en_us/blog/security/threat-hunting-sysmon-event-codes.html