├── DEFCON2 ├── DC-Configurator.ps1 ├── DC-D2C-Configurator-NoAudit.ps1 ├── DC-D2C-Configurator.ps1 └── Group-Policy-Objects │ └── SOC-CMD-PS-Logging │ ├── manifest.xml │ └── {10C95EFF-BFAA-4D82-A723-AAF5505B0168} │ ├── Backup.xml │ ├── DomainSysvol │ └── GPO │ │ └── Machine │ │ ├── comment.cmtx │ │ └── registry.pol │ ├── bkupInfo.xml │ └── gpreport.xml ├── DEFCON3 ├── DC-Configurator.ps1 ├── DC-D3C-Configurator-NoAudit.ps1 ├── DC-D3C-Configurator.ps1 ├── Filebeat-Configurator.ps1 ├── Group-Policy-Objects │ ├── SOC-Enable-WinRM │ │ ├── manifest.xml │ │ └── {8B9862FD-F06C-4D1F-B6EF-C56E2618A438} │ │ │ ├── Backup.xml │ │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ ├── Preferences │ │ │ │ └── Services │ │ │ │ │ └── Services.xml │ │ │ │ ├── comment.cmtx │ │ │ │ └── registry.pol │ │ │ ├── bkupInfo.xml │ │ │ └── gpreport.xml │ ├── SOC-Sysmon-Deployment │ │ ├── manifest.xml │ │ └── {D61B8B97-2753-494C-AFC5-860A65B5B76C} │ │ │ ├── Backup.xml │ │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ └── Preferences │ │ │ │ └── ScheduledTasks │ │ │ │ └── ScheduledTasks.xml │ │ │ ├── bkupInfo.xml │ │ │ └── gpreport.xml │ └── SOC-WS-Enhanced-Auditing │ │ ├── manifest.xml │ │ └── {B8DC9C75-5065-4EF6-B898-D75ECAD63D0B} │ │ ├── Backup.xml │ │ ├── DomainSysvol │ │ └── GPO │ │ │ └── Machine │ │ │ └── microsoft │ │ │ └── windows nt │ │ │ ├── Audit │ │ │ └── audit.csv │ │ │ └── SecEdit │ │ │ └── GptTmpl.inf │ │ ├── bkupInfo.xml │ │ └── gpreport.xml ├── Sysmon-Configurator.ps1 ├── Sysmon_Updater.ps1 └── sysmon │ ├── sysmon.ps1 │ └── sysmonconfig.xml ├── DEFCON4 ├── DC-Configurator-NoAudit.ps1 ├── DC-Configurator.ps1 ├── Group-Policy-Objects │ ├── SOC-DC-Enhanced-Auditing │ │ ├── manifest.xml │ │ └── {B53356EF-67DC-481C-A4E9-4FE2C9295F3D} │ │ │ ├── Backup.xml │ │ │ ├── DomainSysvol │ │ │ └── GPO │ │ │ │ └── Machine │ │ │ │ └── microsoft │ │ │ │ └── windows nt │ │ │ │ ├── Audit │ │ │ │ └── audit.csv │ │ │ │ └── SecEdit │ │ │ │ └── GptTmpl.inf │ │ │ ├── bkupInfo.xml │ │ │ └── gpreport.xml │ └── SOC-Windows-Event-Forwarding │ │ ├── manifest.xml │ │ └── {81DADD10-41B3-4D5C-845F-34AC6AB22A8C} │ │ ├── Backup.xml │ │ ├── DomainSysvol │ │ └── GPO │ │ │ └── Machine │ │ │ ├── comment.cmtx │ │ │ ├── microsoft │ │ │ └── windows nt │ │ │ │ └── SecEdit │ │ │ │ └── GptTmpl.inf │ │ │ └── registry.pol │ │ ├── bkupInfo.xml │ │ └── gpreport.xml ├── README.md ├── Update_WECs_v1.ps1 ├── WEC-Configurator.ps1 ├── WEF-Subscriptions │ ├── WEC1_sec_events_v4.xml │ ├── WEC2_os_app_events_v2_1.xml │ ├── WEC3_sec_events_v2_1.xml │ ├── WEC4_os_app_events_v2_1.xml │ ├── WEC5_DefenderFW_app_events_v2_1.xml │ ├── WEC6_os_events_v2_1.xml │ ├── WEC7_sec_evt_v1.xml │ └── WEC8_sec_evt_v1.xml ├── Winlogbeat-Updater.ps1 ├── sites.csv └── winlogbeat.yml ├── LICENSE └── README.md /DEFCON2/DC-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/DC-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON2/DC-D2C-Configurator-NoAudit.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/DC-D2C-Configurator-NoAudit.ps1 -------------------------------------------------------------------------------- /DEFCON2/DC-D2C-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/DC-D2C-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/manifest.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/manifest.xml -------------------------------------------------------------------------------- /DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/Backup.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/Backup.xml -------------------------------------------------------------------------------- /DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/DomainSysvol/GPO/Machine/comment.cmtx -------------------------------------------------------------------------------- /DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/DomainSysvol/GPO/Machine/registry.pol -------------------------------------------------------------------------------- /DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/bkupInfo.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/bkupInfo.xml -------------------------------------------------------------------------------- /DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON2/Group-Policy-Objects/SOC-CMD-PS-Logging/{10C95EFF-BFAA-4D82-A723-AAF5505B0168}/gpreport.xml -------------------------------------------------------------------------------- /DEFCON3/DC-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/DC-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON3/DC-D3C-Configurator-NoAudit.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/DC-D3C-Configurator-NoAudit.ps1 -------------------------------------------------------------------------------- /DEFCON3/DC-D3C-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/DC-D3C-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON3/Filebeat-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Filebeat-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/manifest.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/manifest.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/Backup.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/Backup.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/DomainSysvol/GPO/Machine/Preferences/Services/Services.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/DomainSysvol/GPO/Machine/Preferences/Services/Services.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/DomainSysvol/GPO/Machine/comment.cmtx -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- 1 | PReg -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/bkupInfo.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/bkupInfo.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Enable-WinRM/{8B9862FD-F06C-4D1F-B6EF-C56E2618A438}/gpreport.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/manifest.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/manifest.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/Backup.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/Backup.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/DomainSysvol/GPO/Machine/Preferences/ScheduledTasks/ScheduledTasks.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/DomainSysvol/GPO/Machine/Preferences/ScheduledTasks/ScheduledTasks.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/bkupInfo.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/bkupInfo.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-Sysmon-Deployment/{D61B8B97-2753-494C-AFC5-860A65B5B76C}/gpreport.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/manifest.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/manifest.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/Backup.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/Backup.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/bkupInfo.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/bkupInfo.xml -------------------------------------------------------------------------------- /DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Group-Policy-Objects/SOC-WS-Enhanced-Auditing/{B8DC9C75-5065-4EF6-B898-D75ECAD63D0B}/gpreport.xml -------------------------------------------------------------------------------- /DEFCON3/Sysmon-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Sysmon-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON3/Sysmon_Updater.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/Sysmon_Updater.ps1 -------------------------------------------------------------------------------- /DEFCON3/sysmon/sysmon.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/sysmon/sysmon.ps1 -------------------------------------------------------------------------------- /DEFCON3/sysmon/sysmonconfig.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON3/sysmon/sysmonconfig.xml -------------------------------------------------------------------------------- /DEFCON4/DC-Configurator-NoAudit.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/DC-Configurator-NoAudit.ps1 -------------------------------------------------------------------------------- /DEFCON4/DC-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/DC-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/manifest.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/manifest.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/Backup.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/Backup.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/DomainSysvol/GPO/Machine/microsoft/windows nt/Audit/audit.csv -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/bkupInfo.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/bkupInfo.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-DC-Enhanced-Auditing/{B53356EF-67DC-481C-A4E9-4FE2C9295F3D}/gpreport.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/manifest.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/manifest.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/Backup.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/Backup.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/DomainSysvol/GPO/Machine/comment.cmtx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/DomainSysvol/GPO/Machine/comment.cmtx -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/DomainSysvol/GPO/Machine/registry.pol: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/DomainSysvol/GPO/Machine/registry.pol -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/bkupInfo.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/bkupInfo.xml -------------------------------------------------------------------------------- /DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/gpreport.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Group-Policy-Objects/SOC-Windows-Event-Forwarding/{81DADD10-41B3-4D5C-845F-34AC6AB22A8C}/gpreport.xml -------------------------------------------------------------------------------- /DEFCON4/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/README.md -------------------------------------------------------------------------------- /DEFCON4/Update_WECs_v1.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Update_WECs_v1.ps1 -------------------------------------------------------------------------------- /DEFCON4/WEC-Configurator.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEC-Configurator.ps1 -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC1_sec_events_v4.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC1_sec_events_v4.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC2_os_app_events_v2_1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC2_os_app_events_v2_1.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC3_sec_events_v2_1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC3_sec_events_v2_1.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC4_os_app_events_v2_1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC4_os_app_events_v2_1.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC5_DefenderFW_app_events_v2_1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC5_DefenderFW_app_events_v2_1.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC6_os_events_v2_1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC6_os_events_v2_1.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC7_sec_evt_v1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC7_sec_evt_v1.xml -------------------------------------------------------------------------------- /DEFCON4/WEF-Subscriptions/WEC8_sec_evt_v1.xml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/WEF-Subscriptions/WEC8_sec_evt_v1.xml -------------------------------------------------------------------------------- /DEFCON4/Winlogbeat-Updater.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/Winlogbeat-Updater.ps1 -------------------------------------------------------------------------------- /DEFCON4/sites.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/sites.csv -------------------------------------------------------------------------------- /DEFCON4/winlogbeat.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/DEFCON4/winlogbeat.yml -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/LICENSE -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blackhillsinfosec/EventLogging/HEAD/README.md --------------------------------------------------------------------------------