diff --git a/docs/audit_policies/windows/README.md b/docs/audit_policies/windows/README.md
new file mode 100644
index 00000000000..ecd40e8196d
--- /dev/null
+++ b/docs/audit_policies/windows/README.md
@@ -0,0 +1,46 @@
+## Windows Audit Policies
+
+This folder contains Windows related audit policies that need to be implemented in order to generate the events that power our detection rules. It serves as a centralized view of the policies we use so you don't need to go through every rule to know the different audit policies required.
+
+Audit Policies:
+
+* [Audit Audit Policy Change](audit_audit_policy_change.md)
+* [Audit Authorization Policy Change](audit_authorization_policy_change.md)
+* [Audit Detailed File Share](audit_detailed_file_share.md)
+* [Audit Directory Service Access](audit_directory_service_access.md)
+* [Audit Directory Service Changes](audit_directory_service_changes.md)
+* [Audit Filtering Platform Connection](audit_filtering_platform_connection.md)
+* [Audit Handle Manipulation](audit_handle_manipulation.md)
+* [Audit Logon](audit_logon.md)
+* [Audit Process Creation and Command Line](audit_process_creation_and_command_line.md)
+* [Audit Security Group Management](audit_security_group_management.md)
+* [Audit Security System Extension](audit_security_system_extension.md)
+* [Audit Sensitive Privilege Use](audit_sensitive_privilege_use.md)
+* [Audit Special Logon](audit_special_logon.md)
+* [Audit Token Right Adjusted Events](audit_token_right_adjusted_events.md)
+* [Audit User Account Management](audit_user_account_management.md)
+* [Audit Powershell Script Block Logging](audit_powershell_scriptblock.md)
+
+## Sysmon Configuration Guides
+
+**Caution:** The following guides provide minimal configuration examples designed to enable specific Sysmon Event IDs. Collecting Sysmon events without a tailored configuration for your environment will cause high data volume and potentially high CPU-load, and these setup instructions require significant tuning to be production-ready.
+
+To build an efficient and production-ready configuration, we strongly recommend exploring these community resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+For a production-ready and more integrated solution that is designed to work with our detection rules and also provide native Endpoint Protection and Response, check out [Elastic Endpoint Security](https://www.elastic.co/security/endpoint-security).
+
+* [Sysmon Event ID 1: Process Creation](sysmon_eventid1_process_creation.md)
+* [Sysmon Event ID 2: File Creation Time Changed](sysmon_eventid2_file_creation_time_changed.md)
+* [Sysmon Event ID 3: Network Connection](sysmon_eventid3_network_connection.md)
+* [Sysmon Event ID 7: Image Loaded](sysmon_eventid7_image_loaded.md)
+* [Sysmon Event ID 8: Create Remote Thread](sysmon_eventid8_createremotethread.md)
+* [Sysmon Event ID 10: Process Accessed](sysmon_eventid10_process_access.md)
+* [Sysmon Event ID 11: File Create](sysmon_eventid11_file_create.md)
+* [Sysmon Event IDs 12, 13, 14: Registry Events](sysmon_eventid12_13_14_registry_event.md)
+* [Sysmon Event IDs 17, 18: Named Pipe Events](sysmon_eventid17_18_pipe_event.md)
+* [Sysmon Event IDs 19, 20, 21: WMI Events](sysmon_eventid19_20_21_wmi_event.md)
+* [Sysmon Event ID 22: DNS Query](sysmon_eventid22_dns_query.md)
+* [Sysmon Event ID 23: File Delete](sysmon_eventid23_file_delete.md)
\ No newline at end of file
diff --git a/docs/audit_policies/windows/audit_authorization_policy_change.md b/docs/audit_policies/windows/audit_authorization_policy_change.md
new file mode 100644
index 00000000000..0e235446c20
--- /dev/null
+++ b/docs/audit_policies/windows/audit_authorization_policy_change.md
@@ -0,0 +1,44 @@
+## Setup
+
+Some detection rules require monitoring changes to authorization policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into changes affecting user rights and security policies, helping maintain compliance and security.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Authorization Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Authorization Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Policy Change >
+**Audit Authorization Policy Change (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4703**: A user right was adjusted.
+* **4704**: A user right was assigned.
+* **4705**: A user right was removed.
+* **4670**: Permissions on an object were changed.
+* **4911**: Resource attributes of the object were changed.
+* **4913**: Central Access Policy on the object was changed.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224703%22+OR+%22Token+Right+Adjusted+Events%22+OR+%224704%22+OR+%22user-right-assigned%22+OR+%224705%22+OR+%22user-right-removed%22+OR+%224670%22+OR+%22permissions-changed%22+OR+%224911%22+OR+%224913%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_computer_account_management.md b/docs/audit_policies/windows/audit_computer_account_management.md
new file mode 100644
index 00000000000..04940172723
--- /dev/null
+++ b/docs/audit_policies/windows/audit_computer_account_management.md
@@ -0,0 +1,40 @@
+## Setup
+
+Some detection rules require monitoring computer account management events to track changes to computer accounts in the domain. Enabling this setting provides visibility into when computer accounts are created, changed, or deleted, which is crucial for detecting potential malicious activity like adding unauthorized computer accounts.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Computer Account Management` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Computer Account Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Account Management
+**Audit Computer Account Management (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Computer Account Management" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4741**: A computer account was created.
+* **4742**: A computer account was changed.
+* **4743**: A computer account was deleted.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224741%22+OR+%22added-computer-account%22+OR+%224742%22+OR+%22changed-computer-account%22+OR+%224743%22+OR+%22deleted-computer-account%22%29+language%3ATOML+AND+NOT+%28%22%28for+example%2C+4741%29%22+OR+%22Review+the+event+ID+4741%22+OR+%22e.g.%2C+4741%22%29&type=code
\ No newline at end of file
diff --git a/docs/audit_policies/windows/audit_detailed_file_share.md b/docs/audit_policies/windows/audit_detailed_file_share.md
new file mode 100644
index 00000000000..786a3f4b4ef
--- /dev/null
+++ b/docs/audit_policies/windows/audit_detailed_file_share.md
@@ -0,0 +1,40 @@
+## Setup
+
+Some detection rules require monitoring file share access to detect unauthorized access attempts or modifications. Enabling this setting helps improve security visibility and ensures compliance by tracking access to shared files and folders.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Detailed File Share` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Detailed File Share` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Object Access >
+**Audit Detailed File Share (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"File Share" /success:enable /failure:disable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5145**: A network share object was checked to see whether client can be granted desired access.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225145%22+OR+%22network-share-object-access-checked%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_directory_service_access.md b/docs/audit_policies/windows/audit_directory_service_access.md
new file mode 100644
index 00000000000..357f537f090
--- /dev/null
+++ b/docs/audit_policies/windows/audit_directory_service_access.md
@@ -0,0 +1,41 @@
+## Setup
+
+Some detection rules require configuring audit policies to generate events when Active Directory objects are accessed. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Access` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Access` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+**Audit Directory Service Access (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4661**: A handle to an object was requested.
+* **4662**: An operation was performed on an object.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224661%22+OR+%224662%22+OR+%22object-operation-performed%22%29++language%3ATOML&type=code
\ No newline at end of file
diff --git a/docs/audit_policies/windows/audit_directory_service_changes.md b/docs/audit_policies/windows/audit_directory_service_changes.md
new file mode 100644
index 00000000000..9058fc47d35
--- /dev/null
+++ b/docs/audit_policies/windows/audit_directory_service_changes.md
@@ -0,0 +1,68 @@
+## Setup
+
+Some detection rules require configuring audit policies to generate events when Active Directory objects are modified. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Changes` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Changes` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+**Audit Directory Service Changes (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
+```
+
+### Additional Settings
+
+The `Audit Directory Service Changes` policy does not cover all objects monitored by the detection rules. To address these gaps, in addition to enabling the audit policy, configure additional Access Control Entries (ACEs) using [Set-AuditRule](https://github.com/OTRF/Set-AuditRule) to ensure proper monitoring.
+
+Below is a list of example Audit Rules. Modify them to match the Distinguished Names specific to your environment:
+
+Audit changes on the MicrosoftDNS object:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
+```
+
+Audit changes on the msDS-KeyCredentialLink attribute of User objects:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success
+```
+
+Audit changes on the servicePrincipalName attribute of User objects:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5136**: A directory service object was modified.
+* **5137**: A directory service object was created.
+* **5138**: A directory service object was undeleted.
+* **5139**: A directory service object was moved.
+* **5141**: A directory service object was deleted.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225136%22+OR+%22directory-service-object-modified%22+OR+%225137%22+OR+%225138%22+OR+%225139%22+OR+%225141%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_filtering_platform_connection.md b/docs/audit_policies/windows/audit_filtering_platform_connection.md
new file mode 100644
index 00000000000..446a31cf579
--- /dev/null
+++ b/docs/audit_policies/windows/audit_filtering_platform_connection.md
@@ -0,0 +1,47 @@
+## Setup
+
+Some detection rules require monitoring network connections managed by the Windows Filtering Platform (WFP) to detect unauthorized or suspicious network activity.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Filtering Platform Connection` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Filtering Platform Connection` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Security Audit Policy Settings >
+Audit Policies >
+Object Access >
+Audit Filtering Platform Connection (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5031**: The Windows Firewall Service blocked an application from accepting incoming connections on the network.
+* **5150**: The Windows Filtering Platform blocked a packet.
+* **5151**: A more restrictive Windows Filtering Platform filter has blocked a packet.
+* **5154**: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
+* **5155**: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
+* **5156**: The Windows Filtering Platform has permitted a connection.
+* **5157**: The Windows Filtering Platform has blocked a connection.
+* **5158**: The Windows Filtering Platform has permitted a bind to a local port.
+* **5159**: The Windows Filtering Platform has blocked a bind to a local port.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225031%22+OR+%225150%22+OR+%225151%22+OR+%225154%22+OR+%225155%22+OR+%225156%22+OR+%22windows-firewall-connection%22+OR+%225157%22+OR+%22windows-firewall-packet-block%22+OR+%225158%22+OR+%22windows-firewall-bind-local-port%22+OR+%225159%22%29+language%3ATOML+AND+NOT+%28%224605157a5b80%22+OR+%225151a804f31b%22%29&type=code
diff --git a/docs/audit_policies/windows/audit_filtering_platform_packet_drop.md b/docs/audit_policies/windows/audit_filtering_platform_packet_drop.md
new file mode 100644
index 00000000000..7207c41af23
--- /dev/null
+++ b/docs/audit_policies/windows/audit_filtering_platform_packet_drop.md
@@ -0,0 +1,41 @@
+## Setup
+
+Some detection rules require monitoring Filtering Platform Packet Drop events to detect when network packets are being dropped by the Windows Filtering Platform (WFP). Enabling this setting provides visibility into network traffic that is being blocked, which can be an indicator of malicious activity or network reconnaissance.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Filtering Platform Packet Drop` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Filtering Platform Packet Drop` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Object Access
+**Audit Filtering Platform Packet Drop (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **5152**: The Windows Filtering Platform blocked a packet.
+* **5153**: A more restrictive Windows Filtering Platform filter has blocked a packet.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%225152%22+OR+%22windows-firewall-packet-drop%22+OR+%225153%22%29+language%3ATOML+AND+NOT+%28%22%28for+example%2C+5152%29%22+OR+%22Review+the+event+ID+5152%22+OR+%22e.g.%2C+5152%22%29&type=code
\ No newline at end of file
diff --git a/docs/audit_policies/windows/audit_handle_manipulation.md b/docs/audit_policies/windows/audit_handle_manipulation.md
new file mode 100644
index 00000000000..b76905e3dde
--- /dev/null
+++ b/docs/audit_policies/windows/audit_handle_manipulation.md
@@ -0,0 +1,40 @@
+## Setup
+
+Some detection rules require monitoring handle manipulation to detect unauthorized access attempts or suspicious interactions with system objects. Enabling this setting helps improve security visibility by tracking when handles to objects (such as files, registry keys, or processes) are opened or modified.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Handle Manipulation` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Handle Manipulation` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Object Access >
+**Audit Handle Manipulation (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4658**: The handle to an object was closed.
+* **4690**: An attempt was made to duplicate a handle to an object.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224658%22+OR+%22handle-closed-object%22+OR+%224690%22+OR+%22duplicate-handle-attempt%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_logon.md b/docs/audit_policies/windows/audit_logon.md
new file mode 100644
index 00000000000..b266e38b3fd
--- /dev/null
+++ b/docs/audit_policies/windows/audit_logon.md
@@ -0,0 +1,41 @@
+## Setup
+
+Some detection rules require monitoring logon events to track user authentication attempts, detect unauthorized access, and investigate security incidents. Enabling this setting provides visibility into successful and failed logon attempts, helping strengthen security and compliance.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit logon` events across a group of servers using Active Directory Group Policies, administrators must enable the `Audit logon` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Logon/Logoff
+**Audit Logon (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Logon" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4624**: An account was successfully logged on.
+* **4625**: An account failed to log on.
+* **4648**: A logon was attempted using explicit credentials.
+* **4675**: SIDs were filtered.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224624%22+OR+%22logged-in%22+OR+%224625%22+OR+%22logon-failed%22+OR+%224648%22+OR+%22logged-in-explicit%22+OR+%224675%22+OR+%22sids-filtered%22%29++language%3ATOML+AND+NOT+%28%22%28for+example%2C+4624%29%22+OR+%22Review+the+event+ID+4624%22+OR+%22e.g.%2C+4624%22+OR+%22Correlate+security+events+4662+and+4624%22%29&type=code
diff --git a/docs/audit_policies/windows/audit_other_object_access_events.md b/docs/audit_policies/windows/audit_other_object_access_events.md
new file mode 100644
index 00000000000..634d22bca4b
--- /dev/null
+++ b/docs/audit_policies/windows/audit_other_object_access_events.md
@@ -0,0 +1,48 @@
+## Setup
+
+Some detection rules require monitoring other object access events to detect unauthorized actions or system modifications. Enabling this setting allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Other Object Access Events` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Other Object Access Events` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Object Access >
+**Audit Other Object Access Events (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4671**: An application attempted to access a blocked ordinal through the TBS.
+* **4691**: Indirect access to an object was requested.
+* **4698**: A scheduled task was created.
+* **4699**: A scheduled task was deleted.
+* **4700**: A scheduled task was enabled.
+* **4701**: A scheduled task was disabled.
+* **4702**: A scheduled task was updated.
+* **5148**: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
+* **5149**: The DoS attack has subsided and normal processing is being resumed.
+* **5888**: An object in the COM+ Catalog was modified.
+* **5889**: An object was deleted from the COM+ Catalog.
+* **5890**: An object was added to the COM+ Catalog.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224671%22+OR+%224691%22+OR+%22indirect-object-access-requested%22+OR+%224698%22+OR+%22scheduled-task-created%22+OR+%224699%22+OR+%22scheduled-task-deleted%22+OR+%224700%22+OR+%22scheduled-task-enabled%22+OR+%224701%22+OR+%22scheduled-task-disabled%22+OR+%224702%22+OR+%22scheduled-task-updated%22+OR+%225148%22+OR+%225149%22+OR+%225888%22+OR+%225889%22+OR+%225890%22%29++language%3ATOML+AND+NOT+%28%22-4691-%22+OR+%2214691%22+OR+%22035889c4%22%29&type=code
diff --git a/docs/audit_policies/windows/audit_policy_change.md b/docs/audit_policies/windows/audit_policy_change.md
new file mode 100644
index 00000000000..6f9190198ea
--- /dev/null
+++ b/docs/audit_policies/windows/audit_policy_change.md
@@ -0,0 +1,46 @@
+## Setup
+
+Some detection rules require tracking changes to audit policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into audit policy changes, helping to maintain compliance and security.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Audit Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Audit Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Security Audit Policy Settings >
+Audit Policies >
+Policy Change >
+**Audit Audit Policy Change (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4715**: The audit policy (SACL) on an object was changed.
+* **4719**: System audit policy was changed.
+* **4817**: Auditing settings on object were changed.
+* **4902**: The Per-user audit policy table was created.
+* **4904**: An attempt was made to register a security event source.
+* **4905**: An attempt was made to unregister a security event source.
+* **4906**: The CrashOnAuditFail value has changed.
+* **4907**: Auditing settings on object were changed.
+* **4908**: Special Groups Logon table modified.
+* **4912**: Per User Audit Policy was changed.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224715%22+OR+%22object-audit-policy-changed%22+OR+%224719%22+OR+%22changed-audit-config%22+OR+%224817%22+OR+%22object-audit-changed%22+OR+%224902%22+OR+%22user-audit-policy-created%22+OR+%224904%22+OR+%22security-event-source-added%22+OR+%224905%22+OR+%22security-event-source-removed%22+OR+%224906%22+OR+%22crash-on-audit-changed%22+OR+%224907%22+OR+%22audit-setting-changed%22+OR+%224908%22+OR+%22special-group-table-changed%22+OR+%224912%22+OR+%22per-user-audit-policy-changed%22%29++language%3ATOML+AND+NOT+%28%22-4715-%22+OR+%224715d20eb204%22+OR+%22-4907-%22+OR+%22D61349046527%22%29&type=code
diff --git a/docs/audit_policies/windows/audit_powershell_scriptblock.md b/docs/audit_policies/windows/audit_powershell_scriptblock.md
new file mode 100644
index 00000000000..882a549dbf6
--- /dev/null
+++ b/docs/audit_policies/windows/audit_powershell_scriptblock.md
@@ -0,0 +1,36 @@
+## Setup
+
+Some detection rules require enabling PowerShell Script Block Logging to record the content of processed script blocks in the Windows Event Log.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows)and select the `Powershell Operational` channel on the integration setup page.
+
+### Enable Audit Policy via Group Policy
+
+To enable PowerShell Script Block logging across a group of servers using Active Directory Group Policies, administrators must enable the `Turn on PowerShell Script Block Logging` policy. Follow these steps to implement the logging policy:
+
+```
+Computer Configuration >
+Administrative Templates >
+Windows PowerShell >
+**Turn on PowerShell Script Block Logging (Enable)**
+```
+
+### Enable Audit Policy via Registry
+
+To configure the audit on servers that aren't domain joined, the EnableScriptBlockLogging registry key must be set to 1. Here is an example modification command:
+
+```
+reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated in the `Microsoft-Windows-PowerShell/Operational` log:
+
+* **4104**: Script block execution.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22PowerShell+Logs%22+AND+%28%224104%22+OR+%22powershell.file.script_block_text%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_process_creation_and_command_line.md b/docs/audit_policies/windows/audit_process_creation_and_command_line.md
new file mode 100644
index 00000000000..8743a8a7671
--- /dev/null
+++ b/docs/audit_policies/windows/audit_process_creation_and_command_line.md
@@ -0,0 +1,58 @@
+## Setup
+
+If leveraging process creation events from the Windows Security log for detections, enabling command line auditing for Windows Event ID 4688 (Process Creation) is required. When enabled, Windows records the full command line of newly created processes in the Security event log.
+
+### Enable Audit Policy via Group Policy
+
+To enable the record of command line in process creation events across a group of servers using Active Directory Group Policies, administrators must enable the `Include command line in process creation events` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Administrative Templates >
+System >
+Audit Process Creation >
+**Include command line in process creation events (Enable)**
+```
+
+Additionally, confirm that the Audit Process Creation policy is enabled:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Configuration >
+Detailed Tracking >
+**Audit Process Creation (Success)**
+```
+
+### Enable Locally
+
+To enable process creation and command line auditing on non-domain-joined servers, follow these steps with Administrative privileges:
+
+1. Enable Process Creation Audit
+
+Run the following command to enable auditing for process creation:
+```
+auditpol.exe /set /subcategory:"Process Creation" /success:enable /failure:enable
+```
+
+2. Enable Command Line Logging
+
+Modify the registry to include command-line details in process creation logs:
+```
+reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f  
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4688**: A new process has been created.
+* **4696**: A primary token was assigned to process.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224688%22+OR+%22created-process%22+OR+%224696%22+OR+%22process+where%22+OR+%22event.category%3Aprocess%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_security_group_management.md b/docs/audit_policies/windows/audit_security_group_management.md
new file mode 100644
index 00000000000..b00562913f6
--- /dev/null
+++ b/docs/audit_policies/windows/audit_security_group_management.md
@@ -0,0 +1,54 @@
+## Setup
+
+Some detection rules require monitoring security group management to detect unauthorized changes to user group memberships, which can affect access control and security policies. Enabling this setting ensures visibility into modifications of security groups, helping maintain security and compliance.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Security Group Management` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Security Group Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Account Management >
+**Audit Security Group Management (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4727**: A security-enabled global group was created.
+* **4728**: A member was added to a security-enabled global group.
+* **4729**: A member was removed from a security-enabled global group.
+* **4730**: A security-enabled global group was deleted.
+* **4731**: A security-enabled local group was created.
+* **4732**: A member was added to a security-enabled local group.
+* **4733**: A member was removed from a security-enabled local group.
+* **4734**: A security-enabled local group was deleted.
+* **4735**: A security-enabled local group was changed.
+* **4737**: A security-enabled global group was changed.
+* **4754**: A security-enabled universal group was created.
+* **4755**: A security-enabled universal group was changed.
+* **4756**: A member was added to a security-enabled universal group.
+* **4757**: A member was removed from a security-enabled universal group.
+* **4758**: A security-enabled universal group was deleted.
+* **4764**: A group’s type was changed.
+* **4799**: A security-enabled local group membership was enumerated.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224727%22+OR+%22added-group-account%22+OR+%224728%22+OR+%22added-member-to-group%22+OR+%224729%22+OR+%22removed-member-from-group%22+OR+%224730%22+OR+%22deleted-group-account%22+OR+%224731%22+OR+%22added-group-account%22+OR+%224732%22+OR+%22added-member-to-group%22+OR+%224733%22+OR+%22removed-member-from-group%22+OR+%224734%22+OR+%22deleted-group-account%22+OR+%224735%22+OR+%22modified-group-account%22+OR+%224737%22+OR+%22modified-group-account%22+OR+%224754%22+OR+%22added-group-account%22+OR+%224755%22+OR+%22modified-group-account%22+OR+%224756%22+OR+%22added-member-to-group%22+OR+%224757%22+OR+%22removed-member-from-group%22+OR+%224758%22+OR+%22deleted-group-account%22+OR+%224764%22+OR+%22type-changed-group-account%22+OR+%224799%22+OR+%22user-member-enumerated%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_security_system_extension.md b/docs/audit_policies/windows/audit_security_system_extension.md
new file mode 100644
index 00000000000..b4006ef76ab
--- /dev/null
+++ b/docs/audit_policies/windows/audit_security_system_extension.md
@@ -0,0 +1,42 @@
+## Setup
+
+Some detection rules require monitoring security system extensions to detect unauthorized modifications, such as the installation of new system services, drivers, or security-related components. Enabling this setting helps ensure visibility into critical system changes that could impact security and system integrity.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Security System Extension` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Security System Extension` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+System >
+**Audit Security System Extension (Success)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Security System Extension" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4610**: An authentication package has been loaded by the Local Security Authority.
+* **4611**: A trusted logon process has been registered with the Local Security Authority.
+* **4614**: A notification package has been loaded by the Security Account Manager.
+* **4622**: A security package has been loaded by the Local Security Authority.
+* **4697**: A service was installed in the system.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224610%22+OR+%22authentication-package-loaded%22+OR+%224611%22+OR+%22trusted-logon-process-registered%22+OR+%224614%22+OR+%22notification-package-loaded%22+OR+%224622%22+OR+%22security-package-loaded%22+OR+%224697%22+OR+%22service-installed%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_sensitive_privilege_use.md b/docs/audit_policies/windows/audit_sensitive_privilege_use.md
new file mode 100644
index 00000000000..5225688f82d
--- /dev/null
+++ b/docs/audit_policies/windows/audit_sensitive_privilege_use.md
@@ -0,0 +1,42 @@
+## Setup
+
+Some detection rules require monitoring the use of sensitive privileges to detect privilege escalation attempts or unauthorized actions. Enabling this setting provides visibility into when sensitive privileges are used, helping to strengthen security and compliance.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Sensitive Privilege Use` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Sensitive Privilege Use` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Privilege Use > 
+**Audit Sensitive Privilege Use (Success)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4673**: A privileged service was called.
+* **4674**: An operation was attempted on a privileged object.
+* **4985**: The state of a transaction has changed.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224673%22+OR+%22privileged-service-called%22+OR+%224674%22+OR+%22privileged-operation%22+OR+%224985%22+OR+%22state-of-transaction-has-changed%22%29++language%3ATOML+AND+NOT+%22%25%2514674%22&type=code
diff --git a/docs/audit_policies/windows/audit_special_logon.md b/docs/audit_policies/windows/audit_special_logon.md
new file mode 100644
index 00000000000..2e71fcb7cf1
--- /dev/null
+++ b/docs/audit_policies/windows/audit_special_logon.md
@@ -0,0 +1,39 @@
+## Setup
+
+Some detection rules require monitoring special logon events to track privileged account usage. Special logon events indicate that an account with elevated privileges (such as administrators or service accounts) has logged in, helping detect unauthorized access or privilege escalation attempts.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Special Logon` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Special Logon` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Logon/Logoff > 
+**Audit Special Logon (Success)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Special Logon" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4672**: Special privileges assigned to new logon.
+* **4964**: Special groups have been assigned to a new logon.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224672%22+OR+%22logged-in-special%22+OR+%224964%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_token_right_adjusted_events.md b/docs/audit_policies/windows/audit_token_right_adjusted_events.md
new file mode 100644
index 00000000000..1dddeaa4b58
--- /dev/null
+++ b/docs/audit_policies/windows/audit_token_right_adjusted_events.md
@@ -0,0 +1,40 @@
+## Setup
+
+Some detection rules require monitoring token right adjustments to detect privilege changes in user sessions. Token right adjustments occur when a user's security token is modified to grant or revoke privileges, which can indicate privilege escalation attempts or administrative activity. Enabling this setting enhances visibility into security-sensitive changes affecting user privileges.
+
+**Caution:** Enabling this audit policy can generate a high volume of events. Evaluate the audit policy in a group of servers to measure volume and filter unwanted events before deploying in the entire domain.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Token Right Adjusted Events` across a group of servers using Active Directory Group Policies, administrators must enable the `Token Right Adjusted Events` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Detailed Tracking >
+Token Right Adjusted Events (Success)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Token Right Adjusted Events" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event ID may be generated:
+
+* **4703**: A user right was adjusted.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224703%22+OR+%22Token+Right+Adjusted+Events%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/audit_user_account_management.md b/docs/audit_policies/windows/audit_user_account_management.md
new file mode 100644
index 00000000000..09b0ce613f9
--- /dev/null
+++ b/docs/audit_policies/windows/audit_user_account_management.md
@@ -0,0 +1,54 @@
+## Setup
+
+Some detection rules require monitoring user account management activities to detect unauthorized account creations, modifications, or deletions. Enabling this setting ensures visibility into critical account changes, helping maintain security and compliance by tracking administrative actions related to user accounts.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit User Account Management` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit User Account Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Account Management >
+**Audit User Account Management (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable
+```
+
+## Event IDs
+
+When this audit policy is enabled, the following event IDs may be generated:
+
+* **4720**: A user account was created.
+* **4722**: A user account was enabled.
+* **4723**: An attempt was made to change an account's password.
+* **4724**: An attempt was made to reset an account's password.
+* **4725**: A user account was disabled.
+* **4726**: A user account was deleted.
+* **4738**: A user account was changed.
+* **4740**: A user account was locked out.
+* **4765**: SID History was added to an account.
+* **4766**: An attempt to add SID History to an account failed.
+* **4767**: A user account was unlocked.
+* **4780**: The ACL was set on accounts which are members of administrators groups.
+* **4781**: The name of an account was changed.
+* **4794**: An attempt was made to set the Directory Services Restore Mode administrator password.
+* **4798**: A user's local group membership was enumerated.
+* **5376**: Credential Manager credentials were backed up.
+* **5377**: Credential Manager credentials were restored from a backup.
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events listed:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Windows+Security+Event+Logs%22+AND+%28%224720%22+OR+%22added-user-account%22+OR+%224722%22+OR+%22enabled-user-account%22+OR+%224723%22+OR+%22changed-password%22+OR+%224724%22+OR+%22reset-password%22+OR+%224725%22+OR+%22disabled-user-account%22+OR+%224726%22+OR+%22deleted-user-account%22+OR+%224738%22+OR+%22modified-user-account%22+OR+%224740%22+OR+%22locked-out-user-account%22+OR+%224765%22+OR+%224766%22+OR+%224767%22+OR+%22unlocked-user-account%22+OR+%224780%22+OR+%224781%22+OR+%22renamed-user-account%22+OR+%224794%22+OR+%224798%22+OR+%22group-membership-enumerated%22+OR+%225376%22+OR+%225377%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid10_process_access.md b/docs/audit_policies/windows/sysmon_eventid10_process_access.md
new file mode 100644
index 00000000000..6598f555dbb
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid10_process_access.md
@@ -0,0 +1,34 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon Event ID 10 (Process Accessed) events to detect malicious activity, such as credential dumping from `lsass.exe`.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following example demonstrates a more targeted approach for Event ID 10 by focusing specifically on attempts to access the `lsass.exe` process. Based on https://github.com/Neo23x0/sysmon-config/blob/1fdc5f837e06bcf95a42f0c8d49ea311fde628a3/sysmonconfig-export.xml#L517C4-L520C11
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <ProcessAccess onmatch="include">
+            <Rule groupRelation="and">
+		        <TargetImage condition="end with">\lsass.exe</TargetImage>
+		        <GrantedAccess condition="contains any">0x40;0x1000;0x1010;0x1038;0x1410;0x1418;0x1438;0x143a;0x100000;0x1f0fff;0x1f1fff;0x1f2fff;0x1f3fff;0x1fffff</GrantedAccess> <!--0x1400 too noisy-->
+	        </Rule>
+        </ProcessAccess>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22event.code+%3D%3D+%5C%2210%5C%22%22+OR+%22winlog.event_data.TargetImage%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid11_file_create.md b/docs/audit_policies/windows/sysmon_eventid11_file_create.md
new file mode 100644
index 00000000000..e1ede73ebd8
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid11_file_create.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules support the use of Sysmon Event ID 11 (File Create) events to detect malicious activity, such as tool transfer and second-stage payload dropping.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 11 (File Create). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all file creation events -->
+        <FileCreate onmatch="exclude"></FileCreate>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22file+where%22+OR+%22event.category%3Afile%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid12_13_14_registry_event.md b/docs/audit_policies/windows/sysmon_eventid12_13_14_registry_event.md
new file mode 100644
index 00000000000..cb31b9fbe10
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid12_13_14_registry_event.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon registry events (Event IDs 12, 13, and 14) to detect malicious activity, such as attackers establishing persistence via Registry Run keys, disabling security services, or tampering with system configurations.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Sysmon's registry monitoring capabilities. This single configuration block enables Event ID 12 (Registry Object Create and Delete), Event ID 13 (Registry Value Set), and Event ID 14 (Registry Object Renamed). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all registry events (Covers IDs 12, 13, and 14) -->
+        <RegistryEvent onmatch="exclude"></RegistryEvent>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22registry+where%22+OR+%22event.category%3Aregistry%22+OR+%22registry.data.strings%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid17_18_pipe_event.md b/docs/audit_policies/windows/sysmon_eventid17_18_pipe_event.md
new file mode 100644
index 00000000000..c6bc32b2bd8
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid17_18_pipe_event.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon named pipe events (Event IDs 17 and 18) to detect malicious activity, such as lateral movement techniques employed by tools like Cobalt Strike or Metasploit.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Sysmon's named pipe monitoring capabilities. This single configuration block enables Event ID 17 (Pipe Created) and Event ID 18 (Pipe Connected). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all named pipe events (Covers IDs 17 and 18) -->
+        <PipeEvent onmatch="exclude"></PipeEvent>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22event.code+%3D%3D+%5C%2217%5C%22%22+OR+%22event.code%3A%5C%2217%5C%22%22+OR+%22event.code%3A17%22+OR+%22event.code+%3D%3D+%5C%2218%5C%22%22+OR+%22event.code%3A%5C%2218%5C%22%22+OR+%22event.code%3A18%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid19_20_21_wmi_event.md b/docs/audit_policies/windows/sysmon_eventid19_20_21_wmi_event.md
new file mode 100644
index 00000000000..1df8a8886e8
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid19_20_21_wmi_event.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon WMI events (Event IDs 19, 20, and 21) to detect malicious activity, such as attackers using WMI for persistence or lateral movement.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Sysmon's WMI monitoring capabilities. This single configuration block enables Event ID 19 (WmiEventFilter), Event ID 20 (WmiEventConsumer), and Event ID 21 (WmiEventConsumerToFilter). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all WMI events (Covers IDs 19, 20, and 21) -->
+        <WmiEvent onmatch="exclude"></WmiEvent>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22event.code+%3D%3D+%5C%2219%5C%22%22+OR+%22event.code%3A%5C%2219%5C%22%22+OR+%22event.code%3A19%22+OR+%22event.code+%3D%3D+%5C%2220%5C%22%22+OR+%22event.code%3A%5C%2220%5C%22%22+OR+%22event.code%3A20%22+OR+%22event.code+%3D%3D+%5C%2221%5C%22%22+OR+%22event.code%3A%5C%2221%5C%22%22+OR+%22event.code%3A21%22+OR+%22winlog.event_data.Consumer+%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid1_process_creation.md b/docs/audit_policies/windows/sysmon_eventid1_process_creation.md
new file mode 100644
index 00000000000..ea008e3cf60
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid1_process_creation.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules support the use of Sysmon Event ID 1 (Process Creation) events to detect malicious and suspicious process execution activity.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows)and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 1 (Process Creation). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all process creation events -->
+        <ProcessCreate onmatch="exclude"></ProcessCreate>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22process+where%22+OR+%22event.category%3Aprocess%22+OR+%22process.command_line%22%29++language%3ATOML+AND+NOT+%28%22event.code+%3D%3D+%5C%2210%5C%22%22%29&type=code
\ No newline at end of file
diff --git a/docs/audit_policies/windows/sysmon_eventid22_dns_query.md b/docs/audit_policies/windows/sysmon_eventid22_dns_query.md
new file mode 100644
index 00000000000..f2333176780
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid22_dns_query.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon Event ID 22 (DNS Query) events to detect malicious activity, such as command and control (C2) communications, DNS tunneling, or connections to malicious domains.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 22 (DNS Query). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all DNS query events -->
+        <DnsQuery onmatch="exclude"></DnsQuery>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22dns.question.name%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid23_file_delete.md b/docs/audit_policies/windows/sysmon_eventid23_file_delete.md
new file mode 100644
index 00000000000..bba73d292f7
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid23_file_delete.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon Event ID 23 (File Delete) events to detect malicious activity, such as an attacker attempting to cover their tracks by deleting tools or logs.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 23 (File Delete). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all file delete events -->
+        <FileDelete onmatch="exclude"></FileDelete>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22event.type+%3D%3D+%5C%22deletion%5C%22%22%29&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid2_file_creation_time_changed.md b/docs/audit_policies/windows/sysmon_eventid2_file_creation_time_changed.md
new file mode 100644
index 00000000000..020d936a2aa
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid2_file_creation_time_changed.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules require the use of Sysmon Event ID 2 (File Creation Time Changed) events to detect timestomping activity, a technique often used by adversaries to hide their tracks.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 2 (File Creation Time Changed). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all file creation time change events -->
+        <FileCreateTime onmatch="exclude"></FileCreateTime>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22event.code+%3D%3D+%5C%222%5C%22%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid3_network_connection.md b/docs/audit_policies/windows/sysmon_eventid3_network_connection.md
new file mode 100644
index 00000000000..a708412b159
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid3_network_connection.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules support the use of Sysmon Event ID 3 (Network Connection) events to detect malicious network activity, such as connections to command and control (C2) servers or data exfiltration.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 3 (Network Connection). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all network connection events -->
+        <NetworkConnect onmatch="exclude"></NetworkConnect>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22network+where%22+OR+%22event.category%3Anetwork%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid7_image_loaded.md b/docs/audit_policies/windows/sysmon_eventid7_image_loaded.md
new file mode 100644
index 00000000000..92f182789b6
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid7_image_loaded.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules support the use of Sysmon Event ID 7 (Image Loaded) events to detect malicious activity, such as the loading of malicious DLLs.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 7 (Image Loaded). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all image load events -->
+        <ImageLoad onmatch="exclude"></ImageLoad>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22Image+loaded%22+OR+%22event.category%3Alibrary%22%29++language%3ATOML&type=code
diff --git a/docs/audit_policies/windows/sysmon_eventid8_createremotethread.md b/docs/audit_policies/windows/sysmon_eventid8_createremotethread.md
new file mode 100644
index 00000000000..8141e8fd02c
--- /dev/null
+++ b/docs/audit_policies/windows/sysmon_eventid8_createremotethread.md
@@ -0,0 +1,30 @@
+## Setup
+
+**Caution:** Collecting Sysmon events without a tailored configuration for your environment will cause high data volume. These setup instructions would need significant tuning in order to be production-ready. For more specific configurations, we recommend you to explore the following resources:
+ - https://github.com/trustedsec/SysmonCommunityGuide
+ - https://github.com/olafhartong/sysmon-modular
+ - https://github.com/Neo23x0/sysmon-config
+
+Some detection rules use Sysmon Event ID 8 (Create Remote Thread) to detect process injection techniques. Attackers often use process injection to evade defenses, escalate privileges, or execute malicious code in the context of another process, such as for credential dumping.
+
+To collect these logs, use the [Windows Integration](https://www.elastic.co/docs/current/integrations/windows) and select the `Sysmon Operational` channel on the integration setup page.
+
+## Configuration Example
+
+The following snippet demonstrates the minimal configuration required to enable Event ID 8 (Create Remote Thread). While this will turn on the event logging, it lacks the necessary filtering for a production environment and will generate significant noise. It should be used as a reference and integrated into a more robust configuration, such as those provided in the resources above.
+
+```xml
+<Sysmon schemaversion="4.90">
+    <HashAlgorithms>md5,sha256</HashAlgorithms>
+    <EventFiltering>
+        <!-- Log all remote thread creation events -->
+        <CreateRemoteThread onmatch="exclude"></CreateRemoteThread>
+    </EventFiltering>
+</Sysmon>
+```
+
+## Related Rules
+
+Use the following GitHub search to identify rules that use the events generated by this configuration:
+
+https://github.com/search?q=repo%3Aelastic%2Fdetection-rules+%22Data+Source%3A+Sysmon%22+AND+%28%22event.code+%3D%3D+%5C%228%5C%22%22+OR+%22event.code%3A%5C%228%5C%22%22+OR++%22event.code%3A8%22%29++language%3ATOML&type=code