Found via cyber-ir.com: This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document!
Intrusion Detection Using Indicators of Compromise Based on Best Practices and Windows Event Logs
This is a paper by María del Carmen Prudente Tixteco, Lidia Prudente Tixteco, Gabriel Sánchez Pérez, Linda Karina Toscano Medina (keywords: indicators of compromise; windows event logs; intrusion detection), for the Eleventh International Conference on Internet Monitoring and Protection.
Nowadays computer attacks and intrusions have become more common affecting confidentiality, integrity or the availability of computer systems. They are more sophisticated making the job of the information security analysts more complicated, mainly because of the attacking vectors are more robust and complex to identify. One of the main resources that information security people have on their disposition are Indicators of Compromise (IOCs), which allow the identification of potentially malicious activity on a system or network. Usually IOCs are made off virus signatures, IP addresses, URLs or domains and some others elements, which are not sufficient to detect an intrusion or malicious activity on a computer system. The Windows event logs register different activities in a Windows® operating system that are valuable elements in a forensic analysis process. IOCs can be generated using Windows event logs for intrusion detection, improving Incident Response (IR) and forensic analysis processes. This paper presents a procedure to generate IOCs using Windows event logs to achieve a more efficient diagnostic computer system for IR.
The relevant pages are available for download from ThinkMind:
Windows Events log for IR/Forensics, Part 1
At the SANS InfoSec Handlers Diary Blog runs a series Windows Events log for DFIR:
In the time of incidents, Windows Event logs provide a plenty of useful information for the Incident responder.As you know Windows can generate thousands of events in few minutes ,in this diary I will talk about some of the most useful events and in the next diary I would discuss how to use PowerShell to search for them .
Here is of the most useful events for Forensics/Incident response:
Read the full post (part 1) here: https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/.