Sysmon

Recommended Sysmon EventIDs worth monitoring:

Event ID 1: Process Creation
Event ID 3: Network Connection
Event ID 7: Image Loaded
Event ID 8: CreateRemoteThread
Event ID 11: File Created
Event ID 12 / 13 / 14: Registry Event
Event ID 15: FileCreateStreamHash
Event ID 22: DNS Event

Filtering syntax:

Filter by Event ID: */System/EventID=<ID>
Filter by XML Attribute/Name: */EventData/Data[@Name="<XML Attribute/Name>"]
Filter by Event Data: */EventData/Data=<Data>

PreviousWindows Event Logging NextGoogle Dorking