A comprehensive Streamlit application for comparing and analyzing Windows Event Log audit settings across different security baseline guides. This tool provides a user-friendly interface to visualize differences in audit settings, assess their impact on detection rule effectiveness, and make informed decisions about Windows Event Log configurations. It leverages over 4,000 Sigma rules and audit baselines to visualize detection coverage before and after applying specific configurations.
https://yamato-security-eventlog-baseline-guide-streamlit-app-gwlyjo.streamlit.app/
Compare audit settings across multiple authoritative sources:
- Windows Default: Microsoft's default configuration
- YamatoSecurity: Community-driven security configurations
- Australian Signals Directorate: Government security recommendations
- Microsoft Server: Server-specific recommendations
- Microsoft Client: Client-specific recommendations
- Audit Settings Analysis: Detailed breakdown of recommended vs default settings
- Log File Size Recommendations: Optimal log retention settings
- Sigma Rule Statistics: Impact analysis on detection rule effectiveness
- Service and Category Breakdown: Granular analysis by Windows services and categories
The application uses an intuitive color-coding system:
- 🟡 Yellow: Changes required from default settings
- 🟢 Pale Green: Default settings are acceptable
- ⚪ Light Gray: No auditing required or no recommendations available
The tool helps answer critical questions:
- Which audit settings need to be changed from defaults?
- How do different baseline guides compare?
- What's the impact on detection rule effectiveness?
- Which Windows services are most affected by configuration changes?
git clone https://github.com/Yamato-Security/EventLog-Baseline-Guide.git
cd EventLog-Baseline-Guide
pip install -r requirements.txt
streamlit run streamlit_app.py
- A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why
- Audit Policy Recommendations
- Configure audit policies for Windows event logs
- EnableWindowsLogSettings
- Windows event logging and forwarding
- mdecrevoisier/Windows-auditing-baseline
- palantir/windows-event-forwarding
We would love any form of contribution. Pull requests, rule creation and sample evtx logs are the best but feature requests, notifying us of bugs, etc... are also very welcome. At the least, if you like our tool then please give us a star on GitHub and show your support!
This project is licensed under the MIT License. See the LICENSE file for details.
This tool is designed to help security professionals make informed decisions about Windows event log configuration based on established security baselines and their impact on detection rule effectiveness.