In looking into compromised systems, often what is needed by incident responders and investigators is not enabled or configured when it comes to logging.  To help get system logs properly Enabled and Configured, below are some cheat sheets to help you do logging well and collect the needed data we all need is there when we look.

Cheat Sheets to help you in configuring your systems:

• The Windows Logging Cheat Sheet                                                         Updated Feb 2019

• The Windows Advanced Logging Cheat Sheet                                     Updated Feb 2019

• The Crowdstrike Logscale Windows Logging Cheat Sheet              Updated Feb 2024

• The Splunk Windows Logging Cheat Sheet                                           Updated Sept 2019

• The Windows File Auditing Logging Cheat Sheet                                Updated Nov 2017

• The Windows Registry Auditing Logging Cheat Sheet                       Updated Aug 2019

• The Windows PowerShell Logging Cheat Sheet                                   Updated Sept 2018

• The Windows Sysmon Logging Cheat Sheet                                          Updated Jan 2020

MITRE ATT&CK Cheat Sheets

• The Windows ATT&CK Logging Cheat Sheet                                           Released Sept 2018

• The Windows LOG-MD ATT&CK Cheat Sheet                                           Released Sept 2018

The MITRE ATT&CK Logging Cheat Sheets are available in Excel spreadsheet form on the following Github:

• https://github.com/MalwareArchaeology/ATTACK

Some Additional Cheat Sheets

These are some additional cheat sheets that can help in your IR and security needs.

• TIPS FOR CREATING A STRONG CYBERSECURITY ASSESSMENT REPORT - Lenny Zeltser

• SECURITY ARCHITECTURE CHEAT SHEET FOR INTERNET APPLICATIONS - Lenny Zeltser

• Windows Intrusion Discovery Cheat Sheet v3.0 - SANS

• MULTICLOUD COMMAND-LINE INTERFACE - SANS

• CRITICAL LOG REVIEW CHECKLIST FOR SECURITY INCIDENTS - SANS

• ANALYZING MALICIOUS DOCUMENTS - SANS

• Analyzing Malicious Documents - Zeltser

• Linux Shell Survival Guide v2.3 - SANS

• Linux Forensics Command Cheat Sheet

• Burp Suite Cheat Sheet v1.0 - SANS

• iOS Third-Party Apps Forensics - SANS

• Splunk Cheat Sheet and site

• DFIR Training list of Cheat Sheets

• Google Cloud Incident Response Cheat Sheet

• Google Cloud IR Poster

• Pentesting Cheat Sheets

• SANS Ultimate list of Cheat Sheets

Update Log:

Crowdstrike Logscale Windows Logging Cheat Sheet Released

• Feb 2024

Humio Cheat Sheet Retired

• Feb 2024

SysmonLCS: Jan 2020 ver 1.1

• Fixed GB to Kb on log size

WSplunkLCS: Sept 2019 ver 2.22

• Minor code tweaks, conversion

WSysmonLCS: Aug 2019 ver 1.0

• Initial release

WRACS: Aug 2019 ver 2.5

• Added a few more items

WSLCS: Feb 2019 ver 2.21

• Fixed shifted box, cleanup only

WLCS: Feb 2018 ver 2.3

• Added a couple items from Advanced

• Adjust a couple settings

• General Clean up

• Referenced the Windows Advanced Logging Cheat Sheet

WALCS: Feb 2019 ver 1.2

• Updated and added several items

WHLCS: June 2018 ver 1.0

• Initial release

WFACS: Oct 2016 ver 1.2

• Added a few new locations

WRACS: oct 2016 ver 1.2

• Added many autorun keys

• Sorted the keys better

WSLCS: Mar 2018 ver 2.1.1

• Fixed shifted box, cleanup only

WLCS: Jan 2016 ver 2.0

• Added Event code 4720 - New user account created

• Changed references to File and Registry auditing to point to the new File and Registry auditing Cheat Sheets

• Expanded info on Command Line Logging

WRACS: Jan 2016 ver 1.1

• Sort HKLM Keys

• Added keys to monitor PowerShell and Command Line log settings

• Updated HKCU and USERs\.DEFAULT info

• Added info about HKCU unable to be set in Security Templates

• Added PowerShell script to set HKCU Registry Auditing