Hi, is there a way to get process events in window...
# generalm
MoodyMudit
07/14/2021, 7:33 AMHi, is there a way to get process events in windows using osqueryd? I know that we can use process_events table for Linux, but is there something similar for windows too?
s
seph
07/14/2021, 10:52 AM
There's an event in the event log. You can enable that and look for it.
m
MoodyMudit
07/15/2021, 6:11 PMIs there a particular table for that in osquery?
s
seph
07/15/2021, 6:11 PM
The windows_events table
t
theopolis
07/16/2021, 1:05 PM
We do not have a great walk through about how to do this. Here are the flags that you set to enable this data on windows; https://osquery.readthedocs.io/en/stable/installation/cli-flags/#windows-only-events-control-flags
theopolis
07/16/2021, 1:06 PM
It would be great to have a blog article where someone walks through the end to end of enabling the right windows event channels for process auditing and shows how to tweak and optimize this data.
m
MoodyMudit
07/26/2021, 2:53 PMIt would be great if there was such a walkthrough. Currently, I just wanted to collect process_events, but looks like this table collects all types of logs.
8 Views