Automatic creating of Top Security Event IDs/Top Sigma log sources document

[fukusuket]

Investigate the possibility of automatically updating the Windows Event Log Configuration Guide document :)

[YamatoSecurity]

How about we start off with creating a CSV file and/or Markdown table and/or HTML table for

• Top Security Event IDs
• Top sigma log sources

as well as the pie chart?

[fukusuket]

Sounds Good! Yes I'll start off creating the above CSV/HTML!

[fukusuket]

@YamatoSecurity
I created prototype https://github.com/fukusuket/InvestigateWindowsLogSetting!
Sample markdown is as follows. For the first table, I would like to add a column for the Event ID description, is there a good source for automatically retrieving the ID description?🤔 (If not, I will create the *.txt file manually!)

EventId	Count	Percentage
4688	1299	77.97%
4657	265	15.91%
5156	40	2.40%
4624	17	1.02%
4625	5	0.30%
4648	4	0.24%
4728	3	0.18%
4768	2	0.12%
5379	2	0.12%
4611	2	0.12%
4769	2	0.12%
4634	2	0.12%
4732	2	0.12%
4720	2	0.12%
5140	1	0.06%
5157	1	0.06%
4674	1	0.06%
4673	1	0.06%
4778	1	0.06%
1102	1	0.06%
4647	1	0.06%
6410	1	0.06%
4699	1	0.06%
4698	1	0.06%
4672	1	0.06%
6281	1	0.06%
4825	1	0.06%
4697	1	0.06%
4779	1	0.06%
5136	1	0.06%
4776	1	0.06%
5038	1	0.06%
5145	1	0.06%

---

Category/Service	Count	Percentage	Source
process_creation	2679	58.19%	sysmon
registry_set	430	9.34%	sysmon
security	251	5.45%
file_event	207	4.50%	sysmon
ps_script	184	4.00%	sysmon
image_load	119	2.58%	sysmon
network_connection	104	2.26%	sysmon
system	94	2.04%
registry_event	80	1.74%	sysmon
sysmon	62	1.35%
ps_module	35	0.76%	sysmon
process_access	32	0.70%	sysmon
driver_load	32	0.70%	sysmon
application	30	0.65%
dns_query	24	0.52%	sysmon
windefend	21	0.46%
pipe_created	20	0.43%	sysmon
registry_add	20	0.43%	sysmon
create_remote_thread	16	0.35%	sysmon
file_delete	14	0.30%	sysmon
ps_classic_start	11	0.24%	sysmon
codeintegrity-operational	10	0.22%
create_stream_hash	9	0.20%	sysmon
powershell	9	0.20%
taskscheduler	9	0.20%
firewall-as	9	0.20%
msexchange-management	8	0.17%
bits-client	8	0.17%
registry_delete	7	0.15%	sysmon
antivirus	7	0.15%	sysmon
appxdeployment-server	7	0.15%
wmi_event	6	0.13%	sysmon
dns-client	6	0.13%
wmi	5	0.11%
ntlm	3	0.07%
vhdmp	3	0.07%
powershell-classic	3	0.07%
file_change	2	0.04%	sysmon
dns-server	2	0.04%
smbclient-security	2	0.04%
security-mitigations	2	0.04%
file_executable_detected	1	0.02%	sysmon
sysmon_error	1	0.02%	sysmon
process_tampering	1	0.02%	sysmon
ps_classic_provider_start	1	0.02%	sysmon
raw_access_thread	1	0.02%	sysmon
sysmon_status	1	0.02%	sysmon
shell-core	1	0.02%
dns-server-analytic	1	0.02%
terminalservices-localsessionmanager	1	0.02%
microsoft-servicebus-client	1	0.02%
lsa-server	1	0.02%
printservice-admin	1	0.02%
driver-framework	1	0.02%
printservice-operational	1	0.02%
diagnosis-scripted	1	0.02%
applocker	1	0.02%
appmodel-runtime	1	0.02%
appxpackaging-om	1	0.02%
certificateservicesclient-lifecycle-system	1	0.02%
smbclient-connectivity	1	0.02%
openssh	1	0.02%
capi2	1	0.02%

[fukusuket]

FYI: Also, We can use following info from GitHub Actions(Win-2019/2022/2025)

  auditpol /list /subcategory:* /r
Category/Subcategory,GUID
System,{6[9](https://github.com/fukusuket/InvestigateWindowsLogSetting/actions/runs/12852821348/job/35835264081#step:4:10)979848-797A-11D9-BED3-505054503030}
  Security State Change,{0CCE92[10](https://github.com/fukusuket/InvestigateWindowsLogSetting/actions/runs/12852821348/job/35835264081#step:4:11)-69AE-11D9-BED3-505054503030}
  Security System Extension,{0CCE92[11](https://github.com/fukusuket/InvestigateWindowsLogSetting/actions/runs/12852821348/job/35835264081#step:4:12)-69AE-11D9-BED3-505054503030}
  System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030}
...

  auditpol /get /category:*
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
...

  Get-WinEvent -ListLog * | Select-Object LogName, MaximumSizeInBytes
LogName                                           MaximumSizeInBytes
-------                                           ------------------
Application                                                 [209](https://github.com/fukusuket/InvestigateWindowsLogSetting/actions/runs/12852821348/job/35835264081#step:4:210)71520
HardwareEvents                                              20971520
Internet Explorer                                            1052672
Key Management Service                                      20971520
Security                                                    20971520
System                                                      20971520
...

[fukusuket]

Top 20 Security Event IDs

EventId	Event	Count	Percentage
4688	Process created	1299	77.97%
4657	Registry value modified	265	15.91%
5156	Firewall allowed a connection	40	2.40%
4624	Logon success	17	1.02%
4625	Logon failure	5	0.30%
4648	Explicit logon	4	0.24%
4728	Member added to security-enabled global group	3	0.18%
4769	Kerberos service ticket requested	2	0.12%
4720	User account created	2	0.12%
4732	Member added to security-enabled local group	2	0.12%
4634	Account logoff	2	0.12%
5379	Credential Manager credentials were read	2	0.12%
4611	A trusted logon process has been registered with the Local Security Authority	2	0.12%
4768	Kerberos authentication ticket (TGT) requested	2	0.12%
4673	Privileged service called	1	0.06%
5038	Code Integrity invalid file hash	1	0.06%
4698	Scheduled task created	1	0.06%
6410	Code integrity determined that a file does not meet the security requirements to load into a process	1	0.06%
4672	Admin logon	1	0.06%
4697	Service installed	1	0.06%

Top 20 Sigma log sources

Category/Service	Channel/EventID	Count	Percentage	Rules	Source
process_creation	Microsoft-Windows-Sysmon/Operational:1 Security:4688	2679	58.19%	2679	sysmon
registry_set	Microsoft-Windows-Sysmon/Operational:13	430	9.34%	430	sysmon
security	Security	251	5.45%	251	default
file_event	Microsoft-Windows-Sysmon/Operational:11	207	4.50%	207	sysmon
ps_script	Microsoft-Windows-PowerShell/Operational,PowerShellCore/Operational:4104	184	4.00%	184	default
image_load	Microsoft-Windows-Sysmon/Operational:7	119	2.58%	119	sysmon
network_connection	Microsoft-Windows-Sysmon/Operational:3 Security:5156	104	2.26%	104	sysmon
system	System	94	2.04%	94	default
registry_event	Microsoft-Windows-Sysmon/Operational:12,13,14 Security:4657	80	1.74%	80	sysmon
sysmon	Microsoft-Windows-Sysmon/Operational	62	1.35%	62	sysmon
ps_module	Microsoft-Windows-PowerShell/Operational,PowerShellCore/Operational:4103	35	0.76%	35	sysmon
process_access	Microsoft-Windows-Sysmon/Operational:10	32	0.70%	32	sysmon
driver_load	Microsoft-Windows-Sysmon/Operational:6	32	0.70%	32	sysmon
application	Application	30	0.65%	30	default
dns_query	Microsoft-Windows-Sysmon/Operational:22	24	0.52%	24	sysmon
windefend	Microsoft-Windows-Windows Defender/Operational	21	0.46%	21	default
pipe_created	Microsoft-Windows-Sysmon/Operational:17,18	20	0.43%	20	sysmon
registry_add	Microsoft-Windows-Sysmon/Operational:12 Security:4657	20	0.43%	20	sysmon
create_remote_thread	Microsoft-Windows-Sysmon/Operational:8	16	0.35%	16	sysmon
file_delete	Microsoft-Windows-Sysmon/Operational:23,26	14	0.30%	14	sysmon

[YamatoSecurity]

Sample markdown is as follows. For the first table, I would like to add a column for the Event ID description, is there a good source for automatically retrieving the ID description?🤔 (If not, I will create the *.txt file manually!)

Sample markdown tables look great! You can use this config file for the EID to title mapping:
https://github.com/Yamato-Security/hayabusa-rules/blob/main/config/channel_eid_info.txt

[fukusuket]

@YamatoSecurity
We are still investigating whether the graphs could look a little better, but for the most part we were able to implement the automatic process! What do you think?🤔

• https://github.com/fukusuket/InvestigateWindowsLogSetting

[YamatoSecurity]

@fukusuket Looks great! Just one question, why is it sysmon/non-default? Shouldn't it just be non-default in the pie graph?

[fukusuket]

@YamatoSecurity Thank you checking!
I was thinking of the following, but I wonder if I have misunderstood how to classify sysmon/non-default?

process_creation
↓
Microsoft-Windows-Sysmon/Operational:1 (sysmon)
Security:4688 (non-default)

[YamatoSecurity]

I see... Is it possible to separate it, so count process_creation as both a non-default security event and also a sysmon event? I want the non-default category to represent just events that are built-in but not enabled by default.

[fukusuket]

@YamatoSecurity I see, OK! I'll try to classify them in the above categories!💪