Module 5: Logging, Monitoring & SIEM

This directory contains configuration policies for security log auditing, PowerShell transcription, and host monitoring for detection systems in isolated networks.

  1. Configure Advanced Security Audit Policies Enforces granular Windows security audit policies (including logons, Kerberos authentication operations, group memberships, policy changes, and process execution) to log critical threat telemetry.

  2. Configure PowerShell and Command-Line Auditing Enforces process command-line argument auditing and verbose PowerShell logging (Script Block, Module, and Transcription logging) with a write-only, hardened transcript folder.

  3. Deploy and Harden Microsoft Sysmon Deploys Sysmon with a hardened telemetry configuration and configures aggressive service recovery settings to auto-restart the service if stopped by adversaries.

  4. Configure Secure SIEM Log Shipping Configures secured log shipping agents (Winlogbeat and Wazuh) utilizing TLS encryption, authenticated CA checks, local configuration file ACL protections, and buffer queue size limits to prevent local disk space exhaustion.

results matching ""

    No results matching ""