Skip to content

[Security Content] Windows Setup Guides - WinEventLog & Sysmon #5162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Security Content] Windows Setup Guides - WinEventLog & Sysmon #5162

wants to merge 2 commits into from

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Sep 29, 2025
edited
Loading

Issues

Resolves https://github.com/elastic/ia-trade-team/issues/681

Summary

This PR adds setup guides to the repo’s docs folder, covering all Windows Event Logs and Sysmon events currently used in the ruleset.

Built upon the work I did at #4501

Tips for reviewers

You can render the markdown files by clicking here:

image

@w0rk3r w0rk3r self-assigned this Sep 29, 2025
@terrancedejesus
Copy link
Contributor

Nice work! Couple of thoughts.

  1. Should we put this in docs/ and not root? This is specific to Windows atm.
  2. May need to update the README to reference these if it stays in the root.

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Sep 30, 2025

@terrancedejesus Oops, they were supposed to be in the docs/ folder, moved them

Mikaayenson
Mikaayenson reviewed Sep 30, 2025
View reviewed changes
docs/audit_policies/windows/README.md

To build an efficient and production-ready configuration, we strongly recommend exploring these community resources:
- https://github.com/trustedsec/SysmonCommunityGuide
- https://github.com/olafhartong/sysmon-modular
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Mikaayenson
Mikaayenson reviewed Sep 30, 2025
View reviewed changes
Copy link
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to update https://github.com/elastic/detection-rules/blob/main/docs/docset.yml as well. @Mpdreamz can you confirm?

@w0rk3r w0rk3r requested a review from Mikaayenson October 6, 2025 11:29
@w0rk3r
Copy link
Contributor Author

w0rk3r commented Oct 6, 2025

@Mpdreamz can you take a look at @Mikaayenson's comment? Thanks!

@Mpdreamz
Copy link
Member

Mpdreamz commented Oct 6, 2025

That's correct: https://docs-v3-preview.elastic.dev/elastic/docs-builder/tree/main/building-blocks/documentation-set-navigation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@approksiu approksiu Awaiting requested review from approksiu

@imays11 imays11 Awaiting requested review from imays11

@Samirbous Samirbous Awaiting requested review from Samirbous

@Aegrah Aegrah Awaiting requested review from Aegrah

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

At least 2 approving reviews are required to merge this pull request.

Assignees

@w0rk3r w0rk3r

Labels

backport: auto Domain: Endpoint OS: Windows windows related rules Security Content

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@w0rk3r @terrancedejesus @Mpdreamz @Mikaayenson