configuring-windows-event-logging-for-detection

Featured

Configures Windows Event Logging with advanced audit policies to generate high-fidelity security events for threat detection and forensic investigation. Use when enabling audit policies for logon events, process creation, privilege use, and object access to feed SIEM detection rules. Activates for requests involving Windows audit policy, event log configuration, security logging, or detection-oriented logging.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Configuring Windows Event Logging for Detection ## When to Use Use this skill when: - Configuring Windows Advanced Audit Policy for security monitoring - Enabling process creation auditing with command line logging (Event 4688) - Setting up logon/logoff auditing for authentication monitoring - Sizing event log storage and forwarding to SIEM platforms **Do not use** for Sysmon configuration (separate skill) or Linux audit logging. ## Prerequisites - Windows Server or Windows 10/11 systems with Group Policy management access - Active Directory environment with Group Policy Object (GPO) creation privileges - SIEM platform configured to receive Windows Event Log forwarding - Understanding of Windows security event IDs and audit categories ## Workflow ### Step 1: Configure Advanced Audit Policy via GPO ``` Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies Recommended settings: Account Logon: - Audit Credential Validation: Success, Failure - Audit Kerberos Authentication: Success, Failure Account Management: - Audit Security Group Management: Success - Audit User Account Management: Success, Failure Logon/Logoff: - Audit Logon: Success, Failure - Audit Logoff: Success - Audit Special Logon: Success - Audit Other Logon/Logoff Events: Success, Failure Object Access: - Audit File Share: Success, Failure - Audit Removable Storage: Success, Failure - Audit SAM: Success Policy Change...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-windows-event-logs-in-splunk

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

12,642 Updated today
mukul975
DevOps & Infrastructure Listed

siem-logging

Configure security information and event management (SIEM) systems for threat detection, log aggregation, and compliance. Use when implementing centralized security logging, writing detection rules, or meeting audit requirements across cloud and on-premise infrastructure.

368 Updated 5 months ago
ancoleman
AI & Automation Solid

windsurf-audit-logging

Configure AI interaction audit logging for compliance. Activate when users mention "audit logging", "compliance logging", "ai interaction logs", "security audit", or "activity tracking". Handles compliance and audit configuration. Use when analyzing or auditing windsurf audit logging. Trigger with phrases like "windsurf audit logging", "windsurf logging", "windsurf".

2,266 Updated today
jeremylongshore
AI & Automation Featured

detecting-evasion-techniques-in-endpoint-logs

Detects defense evasion techniques used by adversaries in endpoint logs including log tampering, timestomping, process injection, and security tool disabling. Use when investigating suspicious endpoint behavior, building detection rules for evasion tactics, or conducting threat hunting for stealthy adversary activity. Activates for requests involving evasion detection, defense evasion analysis, log tampering detection, or MITRE ATT&CK TA0005.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-credential-dumping-techniques

Detect LSASS credential dumping, SAM database extraction, and NTDS.dit theft using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules

12,642 Updated today
mukul975