Discovered this list of windows Event ID's and their criticality from Microsoft.
Appendix L - Events to Monitor | Microsoft Docs
With a little Notepad++ magic the table provided was converted to a feed that can be used to mark events by Event ID and add the criticality of that event id to the meta.
This information can be used in reporting, alerting or ESA calculations to determine if the event and the associated event criticality should be alerted or investigated.
The Table has a Current and Legacy column which were flattened to just one column to match on so that regardless of which Event ID is logged the criticality will be written.
#reference.id,legacy_id,criticality,description,,,
4618,n/a,high,a monitored security event pattern has occurred.,,,
4649,n/a,high,a replay attack was detected. may be a harmless false positive due to misconfiguration error.,,,
4719,612,high,system audit policy was changed.,,,
612,n/a,high,system audit policy was changed.,,,
4765,n/a,high,sid history was added to an account.,,,
...
<?xml version="1.0" encoding="utf-8"?>
<FDF xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="feed-definitions.xsd">
<FlatFileFeed comment="#" separator="," path="feed-msevents-criticality.csv" name="unified">
<MetaCallback name="InspectMeta" valuetype="Text" ignorecase="true">
<Meta name="reference.id"/>
</MetaCallback>
<LanguageKeys>
<LanguageKey name="severity" valuetype="Text"/>
</LanguageKeys>
<Fields>
<Field index="1" type="index" key="InspectMeta"/>
<Field index="3" type="value" key="severity"/>
</Fields>
</FlatFileFeed>
</FDF>
Using the data in a Dashboard can illustrate the groupings of high, medium and low severity events.
2 Comments
