# Blue Team Handbook  ## Metadata - Author: [[Don Murdoch]] - Full Title: Blue Team Handbook - Category: #books ## Highlights - Instrumentation Update the Windows Workstation Presence Indicators as a second phase approach, once it is proven to work and the issues are resolved. New Service: Event ID 7045 Scheduled Task: Event ID 4698 Local Group Changes: 4731,4732,4733,4734 SIEM and Security Architecture Windows has a native capability to centrally collect audit logs. At a minimum, several event types need to be collected which are known as "presence indicators": login, screen lock, reboot, screen unlock. After that: local group management. Finally, service state changes. These event types can be used to detect when workstations are used outside of normal business hours and for unauthorized changes, new accounts, and service installation all underpinnings of persistence and lateral traversal. Persistence detection: Autoruns (daily, for all workstations and servers), An advanced detection technique is to consume the output of "autorunsc" into the SIEM, sort the data using Long Tail Analysis (or stacking) in order to detect any new persistence entries. Once operating system data is collected, then focus on valuable network level trace data, Network level instrumentation should focus on chokepoints, flow data, and application support intelligence such as DNS activity, web browsing activity, and network flows between network segments. For example, workstation to workstation traffic is highly