This repo contains guidance on setting up event logging. This guidance is broken up into sections, Defensive Readiness Condition (DEFCON), and intended to be applied from 5 (lowest) to 1 (highest).
| Readiness State | Description | Readiness Condition Features |
|---|---|---|
| DEFCON 1 | Breach imminent or occurred | Forensic imaging; Blocking techinques/tools (Server, Workstation, and Network) |
| DEFCON 2 | Enhanced Measures | Event Forwarding (Workstation); Threat Hunting |
| DEFCON 3 | Heightened Measures | Event Forwarding (Member Servers/apps); Network Device logging; Sysmon/EDR |
| DEFCON 4 | Increased Security Measures | Audit policies; Event Forwarding (Domain Controllers); Network Monitoring; Centralized logs |
| DEFCON 5 | Default Configurations | Vanilla OS/App/Device logging; No centralized logs |
Initial work on this project will be focused on Windows.
- Microsoft Active Directory is being used
- PowerShell 5 is being used
- A Windows Server running Windows Event Collector (WEC) services can be reached by all logged Windows endpoints.
GNUv3 - License