{"id":684,"date":"2021-06-21T19:08:06","date_gmt":"2021-06-21T18:08:06","guid":{"rendered":"https:\/\/www.seven-stones.biz\/blog\/?p=684"},"modified":"2021-06-21T19:08:08","modified_gmt":"2021-06-21T18:08:08","slug":"siem-windows-events-quick-win","status":"publish","type":"post","link":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/","title":{"rendered":"SIEM &#8211; Windows Events Quick Win"},"content":{"rendered":"\n<p>There has been a modicum of interest in a Windows spreadsheet I shared on social media recently, that if absorbed and acted upon, can be a early no-brainer win with SIEM products that are licensed based on volume or Events Per Second (EPS). <\/p>\n\n\n\n<p>Its no big secret that Windows machines, virtual or real, are noisy. Clients I worked with &#8211; I would estimate 90%, for various reasonsdon&#8217;t act on the noise from Windows devices and it&#8217;s costing them a fortune (right or wrong, approx 50% of those prioritise other tasks). <\/p>\n\n\n\n<p>In Splunk, one can use searches to estimate the benefit of removing noisy Windows events, and what I found was quite a broad range of results. It makes little sense to give the full breakdown because the result depends heavily on the spread and amount of Windows to other Operating Systems (OS). But there were a couple of cases where logging events volume was reduced by 70%. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png\"><img loading=\"lazy\" decoding=\"async\" width=\"718\" height=\"436\" src=\"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png\" alt=\"\" class=\"wp-image-686\" srcset=\"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png 718w, https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08-300x182.png 300w, https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08-494x300.png 494w\" sizes=\"auto, (max-width: 718px) 100vw, 718px\" \/><\/a><\/figure>\n\n\n\n<p>Some points to note:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>If the &#8220;remove&#8221; events are removed, Windows devices become very quiet. Some organisations use events as an indicator of &#8220;alive&#8221; rather than using active host monitoring. So with this logging configuration, an alternative (more sensible) host monitoring method is needed.<\/li><li>Removing these events is highly unlikely to ever result in a failure to detect an attack, but being 100% certain of this is impossible.<\/li><li> The most critical aspect of logging isn&#8217;t related to these events at all, its about your custom use cases. An example: a usual scenario is for a database listening service to accept application level connections on its listening service port (e.g. 1521 TCP is default for Oracle DB), and the source will be a web or middleware tier. So &#8211; configure an alert for when connections come from a source other than the middleware\/application tier. <\/li><li>Very little actual analysis of Windows events and their purpose is known, or if it is known it is certainly not shared anywhere. There are some historical aspects to many of these events in that they&#8217;ve been around for more than 20 years but were never documented particualrly well, apart from <a href=\"https:\/\/www.ultimatewindowssecurity.com\/securitylog\/encyclopedia\/event.aspx?eventID=4722\">here<\/a>. I have added some insight but not for all events. Hence: if anyone would like any of the contents added or edited, feel free to comment below.<\/li><li>The context here is security. For other logging use cases, other events may need to be switched on. <\/li><li>The major versions of MS Windows Server that this journal applies to are: 2003, 2008, 2012. Many will apply to both 2016 and 2019. <\/li><\/ul>\n\n\n\n<p>So here are the links.. note there is no reg or pay wall. You will not be tracked and no data will be held about you. This is a completely free resource for you to collect anonymously:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/www.seven-stones.biz\/documents\/Windows - SIEM Events Rationalisation.xlsx\">Excel <\/a><\/li><li><a href=\"https:\/\/www.seven-stones.biz\/documents\/Windows%20-%20SIEM%20Events%20Rationalisation.ods\">Openoffice<\/a><\/li><li><a href=\"https:\/\/www.seven-stones.biz\/documents\/Windows%20-%20SIEM%20Events%20Rationalisation.pdf\">PDF<\/a><\/li><\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows security Events to remove for a quick cost saving win <a href=\"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":686,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,1,204,68,203,224],"tags":[229,227,206,157,208,228,226,225],"class_list":["post-684","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-general","category-logging","category-siem","category-splunk","category-windows","tag-cost-saving","tag-events","tag-logging","tag-siem","tag-splunk","tag-tuning","tag-use-cases","tag-windows"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SIEM - Windows Events Quick Win - Security Macromorphosis<\/title>\n<meta name=\"description\" content=\"A quick SIEM win in terms of logging volume and improving your signal-to-noise ratio\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SIEM - Windows Events Quick Win - Security Macromorphosis\" \/>\n<meta property=\"og:description\" content=\"A quick SIEM win in terms of logging volume and improving your signal-to-noise ratio\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Macromorphosis\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-21T18:08:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-06-21T18:08:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png\" \/>\n\t<meta property=\"og:image:width\" content=\"718\" \/>\n\t<meta property=\"og:image:height\" content=\"436\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"itibble@gmail.com\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:site\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"itibble@gmail.com\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/\"},\"author\":{\"name\":\"itibble@gmail.com\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"headline\":\"SIEM &#8211; Windows Events Quick Win\",\"datePublished\":\"2021-06-21T18:08:06+00:00\",\"dateModified\":\"2021-06-21T18:08:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/\"},\"wordCount\":462,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/wp-content\\\/uploads\\\/Screenshot-2021-06-21-at-18.03.08.png\",\"keywords\":[\"Cost saving\",\"Events\",\"Logging\",\"SIEM\",\"Splunk\",\"tuning\",\"Use Cases\",\"Windows\"],\"articleSection\":[\"Blog\",\"General\",\"Logging\",\"SIEM\",\"Splunk\",\"Windows\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/\",\"name\":\"SIEM - Windows Events Quick Win - Security Macromorphosis\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/wp-content\\\/uploads\\\/Screenshot-2021-06-21-at-18.03.08.png\",\"datePublished\":\"2021-06-21T18:08:06+00:00\",\"dateModified\":\"2021-06-21T18:08:08+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"description\":\"A quick SIEM win in terms of logging volume and improving your signal-to-noise ratio\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/wp-content\\\/uploads\\\/Screenshot-2021-06-21-at-18.03.08.png\",\"contentUrl\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/wp-content\\\/uploads\\\/Screenshot-2021-06-21-at-18.03.08.png\",\"width\":718,\"height\":436},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/siem-windows-events-quick-win\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SIEM &#8211; Windows Events Quick Win\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\",\"name\":\"Security Macromorphosis\",\"description\":\"Ian Tibble&#039;s Security Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\",\"name\":\"itibble@gmail.com\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"caption\":\"itibble@gmail.com\"},\"description\":\"Author of Security De-engineering, CTO at Seven Stones (Indonesia)\",\"sameAs\":[\"http:\\\/\\\/www.seven-stones.biz\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SIEM - Windows Events Quick Win - Security Macromorphosis","description":"A quick SIEM win in terms of logging volume and improving your signal-to-noise ratio","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/","og_locale":"en_US","og_type":"article","og_title":"SIEM - Windows Events Quick Win - Security Macromorphosis","og_description":"A quick SIEM win in terms of logging volume and improving your signal-to-noise ratio","og_url":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/","og_site_name":"Security Macromorphosis","article_published_time":"2021-06-21T18:08:06+00:00","article_modified_time":"2021-06-21T18:08:08+00:00","og_image":[{"width":718,"height":436,"url":"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png","type":"image\/png"}],"author":"itibble@gmail.com","twitter_card":"summary_large_image","twitter_creator":"@seven_stones","twitter_site":"@seven_stones","twitter_misc":{"Written by":"itibble@gmail.com","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#article","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/"},"author":{"name":"itibble@gmail.com","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"headline":"SIEM &#8211; Windows Events Quick Win","datePublished":"2021-06-21T18:08:06+00:00","dateModified":"2021-06-21T18:08:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/"},"wordCount":462,"commentCount":0,"image":{"@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#primaryimage"},"thumbnailUrl":"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png","keywords":["Cost saving","Events","Logging","SIEM","Splunk","tuning","Use Cases","Windows"],"articleSection":["Blog","General","Logging","SIEM","Splunk","Windows"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/","url":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/","name":"SIEM - Windows Events Quick Win - Security Macromorphosis","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#primaryimage"},"image":{"@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#primaryimage"},"thumbnailUrl":"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png","datePublished":"2021-06-21T18:08:06+00:00","dateModified":"2021-06-21T18:08:08+00:00","author":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"description":"A quick SIEM win in terms of logging volume and improving your signal-to-noise ratio","breadcrumb":{"@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#primaryimage","url":"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png","contentUrl":"https:\/\/www.seven-stones.biz\/blog\/wp-content\/uploads\/Screenshot-2021-06-21-at-18.03.08.png","width":718,"height":436},{"@type":"BreadcrumbList","@id":"https:\/\/www.seven-stones.biz\/blog\/siem-windows-events-quick-win\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.seven-stones.biz\/blog\/"},{"@type":"ListItem","position":2,"name":"SIEM &#8211; Windows Events Quick Win"}]},{"@type":"WebSite","@id":"https:\/\/www.seven-stones.biz\/blog\/#website","url":"https:\/\/www.seven-stones.biz\/blog\/","name":"Security Macromorphosis","description":"Ian Tibble&#039;s Security Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.seven-stones.biz\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28","name":"itibble@gmail.com","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","caption":"itibble@gmail.com"},"description":"Author of Security De-engineering, CTO at Seven Stones (Indonesia)","sameAs":["http:\/\/www.seven-stones.biz"]}]}},"_links":{"self":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/comments?post=684"}],"version-history":[{"count":3,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/684\/revisions"}],"predecessor-version":[{"id":689,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/684\/revisions\/689"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/media\/686"}],"wp:attachment":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/media?parent=684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/categories?post=684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/tags?post=684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}