Windows auditing mindmap provides a simplified view of Windows Event logs and auditing capacities that enables defenders to enhance visibility for different purposes:
- Log collection (eg: into a SIEM)
- Threat hunting
- Forensic / DFIR
The following mindmaps are currently provided:
- Windows OS auditing baseline
- Windows Server roles auditing (also covers SQL Server and Advanced Threat Analytics)
- Active Directory (ADDS) auditing
- Exchange Server auditing (planned)
- Azure (planned)
Windows OS auditing baseline
This map provides an overview of the native Event logs shipped in Windows OS. They are classified into different categories (network, security, application,…) and their related auditing settings.
Windows Server roles auditing
This map provides an overview of the different Event logs and auditing capacities provided by Windows Server roles (ADCS, DHCP, DNS, OCSP, IIS, NPS, ADFS, MSSQL …).
Active Directory auditing
This map provides an overview of the different Event logs and auditing capacities provided by Active Directory (ADDS) role.