Starting point - Windows 8 and Windows Server 2012 Security Event Details: http://www.microsoft.com/en-us/download/details.aspx?id=35753
For example, Windows process tracking: 1) Enable Advanced Audit Policy Configuration -> Detailed Tracking -> Audit Process Creation (Success) 2) Create test OSSEC rule (/var/ossec/rules/msauth_rules.xml) <rule id="18160" level="3"> <if_sid>18104</if_sid> <id>^4688$</id> <description>A new process has been created</description> </rule> 3) Create rule(s) according to your environment, for example: <rule id="18161" level="5"> <if_sid>18160</if_sid> <id>^4688$</id> <match>cmd.exe</match> <description>CMD has been started</description> </rule> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.