Windows – Security Sys Admin Dashboards

Project Notes

My strategy is to used Nagios Log Server as a hunting tool:

1. Create a dash board with about 10 panels, each one monitoring a different field.
2. Search for processes , .exe or other events and see what it is doing
3. Once a result looks good, make a new dashboard and set an "Alert" to e-mail you when a new event occurs

======================================================
Windows Auditpol/EventLogs:

The custom audit policy I used to gather my log data are based off of Randy Franklin Smith's webpage:

(https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008)

Mr. Smith's list edits the auditpol to specifically reduce "loud" MS Window logs which send too much data while not providing much value for the average Tech.

======================================================
Dashboards:(some dashboards should NOT have any events if a computer has no issues, you can test this by extending the dashboard to 30+ days to find alerts)

The dashboards are based off of "Spotting-the-adversary-with-windows-event-log-monitoring":

https://www.iad.gov/iad/library/ia-guidance/security-configuration/applications/spotting-the-adversary-with-windows-event-log-monitoring.cfm

Please verify that you are getting "Good" data before fully trusting any dashboard. I'm not a MS Windows Pro but if YOU ARE, I'm happy to make corrections to the above dashboards.