configuring-windows-event-logging-for-detection
Installation
SKILL.md
Configuring Windows Event Logging for Detection
When to Use
Use this skill when:
- Configuring Windows Advanced Audit Policy for security monitoring
- Enabling process creation auditing with command line logging (Event 4688)
- Setting up logon/logoff auditing for authentication monitoring
- Sizing event log storage and forwarding to SIEM platforms
Do not use for Sysmon configuration (separate skill) or Linux audit logging.
Prerequisites
- Windows Server or Windows 10/11 systems with Group Policy management access
- Active Directory environment with Group Policy Object (GPO) creation privileges
- SIEM platform configured to receive Windows Event Log forwarding
- Understanding of Windows security event IDs and audit categories