Starting point - Windows 8 and Windows Server 2012 Security Event Details:
http://www.microsoft.com/en-us/download/details.aspx?id=35753
For example, Windows process tracking:
1) Enable Advanced Audit Policy Configuration -> Detailed Tracking -> Audit
Process Creation (Success)
2) Create test OSSEC rule (/var/ossec/rules/msauth_rules.xml)
<rule id="18160" level="3">
<if_sid>18104</if_sid>
<id>^4688$</id>
<description>A new process has been created</description>
</rule>
3) Create rule(s) according to your environment, for example:
<rule id="18161" level="5">
<if_sid>18160</if_sid>
<id>^4688$</id>
<match>cmd.exe</match>
<description>CMD has been started</description>
</rule>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
