The default winlogbeat configuration file collects all endpoint logs from the various Microsoft Windows event channels. This repo contains an optimized version of the winlogbeat configuration based on my research and includes recommendations from private and public sector resources. You can find the specific resources listed in rhe references section of this document.
Please keep in mind that this is not a plug and play configuration. Use it as a template from which you can build a suitable configuration for your environment.
This repo has a branch for version 7 and 8 of winlogbeat. Select the appropriate branch for your environment and adjust it according to your needs.
- https://bit.ly/3J3hmWu (NSA Spotting the Adversary)
- https://bit.ly/347czox (Microsoft Events to Monitor)
- https://bit.ly/3AT2mbb (Michael Gough // Sexy Six)
- https://www.mandiant.com/resources/greater-visibilityt (PowerShell)