Windows auditing mindmap provides a simplified view of Windows Event logs and auditing capacities that enables defenders to enhance visibility for different purposes:
- Log collection (eg: into a SIEM)
- Threat hunting
- Forensic / DFIR
- Troubleshooting
The following mindmaps are currently provided in PDF and PNG formats:
- Windows OS auditing baseline
- Windows Server roles auditing (includes SQL Server and Advanced Threat Analytics)
- Active Directory (ADDS) auditing
- Microsoft Azure auditing
- Exchange Server 2016/2019 auditing
This map provides an overview of the native Event logs shipped in Windows OS. They are classified into different categories (network, security, application,...) and their related auditing settings.
This map provides an overview of the different Event logs and auditing capacities provided by Windows Server roles (ADCS, DHCP, DNS, OCSP, IIS, NPS, ADFS, MSSQL, RDS...).
This map provides an overview of the different Event logs and auditing capacities provided by Active Directory (ADDS) role.
This map provides an overview of the different data sources provided in Azure, available via EventHub or API.
This map provides an overview of the different data sources provided by Exchange Server.