Skip to content
/ Windows-Telemetry-Lab---1 Public

Windows Telemetry Lab – Sysmon + Event ID 4688 + Splunk (Phase 1) Hands-on endpoint logging lab: Sysmon installation, Windows process telemetry, and SIEM ingestion.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tdt1114/Windows-Telemetry-Lab---1

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
images
images
 
 
notes
notes
 
 
searches
searches
 
 
README.md
README.md
 
 

Repository files navigation

Windows Telemetry Lab – Phase 1

Process Creation Logging (4688) + Sysmon Verification + Splunk Ingestion

🎯 Objective

Build a foundational Windows telemetry lab to understand how process creation data flows from an endpoint into a SIEM. This includes installing Sysmon, enabling Windows Security logging (Event ID 4688), and ingesting logs into Splunk Enterprise for analysis.

🧱 Environment Setup

Platform: VirtualBox
OS: Windows 10 Home (unactivated, legal for lab use)
SIEM: Splunk Enterprise (local install)
Telemetry Sources:

  • Windows Security Logs (4688)
  • Sysmon (Event ID 1, 3) – verified in PowerShell

⚙️ Sysmon Installation & Verification

✔ Installed Sysmon using:

.\Sysmon64.exe -i -accepteula

✔ Verified service status:

Get-Service sysmon

✔ Verified Sysmon log channel exists:

Get-WinEvent -ListLog *sysmon*

✔ Verified Sysmon is generating events:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'} -MaxEvents 5

🔐 Windows Security Logging (4688) Enabled

Since Windows 10 Home does not include secpol.msc, auditing was enabled manually:

✔ Enable process creation auditing:

auditpol /set /subcategory:"Process Creation" /success:enable

✔ Enable command-line logging:

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

✔ Verified via PowerShell:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 5

📊 Splunk Setup & Ingestion

✔ Installed Splunk Enterprise locally

✔ Resolved service hang & PID lock issues

✔ Confirmed Splunkd running:

cd "C:\Program Files\Splunk\bin"
.\splunk status

✔ Successfully ingested Windows Security logs:

  • EventCode=4688 visible in Splunk
  • Confirmed with:
index=* EventCode=4688

⚠️ Sysmon → Splunk ingestion TBD in Lab 2

Sysmon is logging correctly on Windows and visible in PowerShell, but ingestion into Splunk will be completed in the next lab to avoid blocking initial project completion.

📸 Screenshots

Screenshots included in /images folder for:

  • Sysmon service running
  • PowerShell Sysmon log verification
  • 4688 event in Splunk
  • Splunk Web UI running
  • Security auditing commands

🧠 What I Learned

  • How to install and validate Sysmon logging
  • How Windows generates and stores process creation telemetry
  • How to enable command-line auditing even on Windows Home
  • How to install, repair, and restart Splunk safely
  • Real-world troubleshooting:
    • Event Viewer snap-in failures
    • Splunkd service stuck in "Starting"
    • PID lock issues
    • VirtualBox ISO/boot errors
    • Clipboard integration not enabled by default
  • How data flows from endpoint → event logs → SIEM
  • Foundation for building detections based on process telemetry

🚀 Next Steps (Lab 2)

  • Add Sysmon → Splunk ingestion
  • Build custom SPL searches
  • Compare Sysmon Event ID 1 vs. Windows 4688
  • Start identifying suspicious process behaviors
  • Begin first detection rule write-up

About

Windows Telemetry Lab – Sysmon + Event ID 4688 + Splunk (Phase 1) Hands-on endpoint logging lab: Sysmon installation, Windows process telemetry, and SIEM ingestion.

Topics

splunk cybersecurity sysmon soc event-logging homelab blue-team threat-detection detection-engineering windows-telemetry

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published