Script to enumerate Windows events with name, ID, security monitoring recommendation, URL

When setting up and tuning a SIEM solution, you will write a lot of rules to detect well-known and arising security threats. If you need to protect systems running on Windows, you can use Microsoft’s security recommendations for each event. On its knowledgebase, Microsoft lists many hundred events with their ID and security monitoring recommendations. For example, if you have a look at the event with ID 1102: “Audit log was cleared”, the security recommendation reads:

Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed.

So, we should certainly implement a rule in our SIEM that looks for such audit log cleared events. Now, we can of course look up the recommendations for each event, but not all event IDs are described and not all events do have security recommendations. Some websites list different event IDs and also give recommendations on how to monitor them, but recommendations are not identical to the ones from Microsoft and the list of event IDs is also usually not 100% complete.

Therefore, I wrote a Python script that enumerates all Microsoft Windows Event IDs. If Microsoft has something to say that is related to security (i.e. a webpage is published), the script will parse specifically the monitoring recommendations part (which is there even if no recommendation is given) using regular expressions. Furthermore, the script will try to understand if there is a meaningful monitoring recommendation in the corresponding part, or if it just says something that reads along the lines of “no security monitoring recommendations”.

For each event, the script will store the HTML part of the security recommendation, and also a Boolean value on if it thinks that Microsoft has a security monitoring recommendation for it or not. All found events will then be saved as an Excel table that contains event name, ID, URL, the HTML part for monitoring recommendations, as well as the flags “has recommendation” and “applicable for result=success” or “result=failure”.

With this table you can quickly sort for these events where “has monitoring recommendation” is true, have a look at the recommendations and implement these in your SIEM solution. Ideally, you write your monitoring rules in SIEM-agnostic Sigma notation. With this you will be able to use the same rules for different SIEM systems, for example QRadar, Splunk, or sumo logic.

You can get the script from GitHub and run it by yourself. Or you can simply use the list which I already created with it:

This article was written by Fabian

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.