Menu

Search

LOGbinder Support


Collecting Process Start Events (4688) Without the Noise


RandyFranklinSmith
How To

If everyone monitored security event ID 4688 (New process) on each computer, we would know within seconds whenever a EXE showed up on the network. If we knew that, we would be able to stop so many more intrusions – so much sooner in the process – before damage is done.  This one security measure would catch so many ransomware, APT and information theft attacks.

Sound like a lot of work? It was, before Supercharger…

In 5 minutes Supercharger can configure Windows Event Collection so that your endpoints start sending this to a central Windows event collector. Which you then monitor with the SIEM of your choice. No agents, no polling, no remote access credentials to setup, no firewall rules to configure. It just works.

Worried that collecting every process start event from every Windows system would be overwhelming?  Turn on Supercharger’s built-in Common System Process noise filter and suddenly all those endpoints reduce traffic to a fraction. That’s because the lion’s share of process start events (4688) are just noise in terms of attack detection. We know for instance that Windows runs C:\Windows\System32\svchost.exe all the time. As long as the Logon ID is 0x3e7 there’s really no point in analyzing the event.

Supercharger was designed by Randy Franklin Smith – no one knows the Windows Security Log better – and you get to leverage his knowledge built-in to Supercharger. Check out this video where Randy demonstrates the steps in less than 7 minutes.

You might need to right-click and select Play or Show Controls on the video below.


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket