Is there a package for EventSentry which includes the events listed in the document "Spotting the Adversary with Windows Event Log Monitoring"

Article ID: 338
Category: Configuration
Applies to: 3.3 and higher
Updated: 2018-11-07

The National Security Agency (NSA) and the Central Security Service (CSS) published the document "Spotting the Adversary with Windows Event Log Monitoring" which, in section 4, lists a number of events which are recommended to be collected by a log / SIEM monitoring solution.

We have made a downloadable EventSentry package file available for download which includes all events listed in section 4 (with the exception of events targeting Windows XP, those have been omitted).

The event log rules contained in the downloadable package is based on the document published on 2/28/2013.

To import the package follow these steps:

  1. Download and unzip the file
  2. Open the EventSentry Management Console
  3. Right-click the "Packages" container
  4. Select "Import Packages"
  5. Browse to the es_nsa.reg file
  6. Select "Import Now" and wait for the import to complete
  7. Review the various packages starting with "4." and make any necessary customizations, such as assigning different actions.