Windows process launch logs are a subset of security audit logs that track program activation, process exit, handle duplication, and indirect object access. You can audit successes or failures for each of these events. Furthermore, you can track how long a program was open and correlate the process data with logon events and object access events. Coupled with command line auditing, you can retrieve information regarding what commands were passed to open processes.
The most common events related to process launches are:
You can find other related events in the Microsoft documentation.
How can I use this data?
When your Splunk deployment is ingesting Windows process launch logs, you can use the data to achieve the following objectives:
- Detecting the use of randomization in cyberattacks
- Investigating a ransomware attack
- Recognizing improper use of system administration tools
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Windows resources.
If your deployment is not already ingesting Windows process launch logs, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is oswinsec.
The source type is wineventlog:security.
The supported input type is WinEventLog://Security.
In addition, you will need the Splunk Add-on for Microsoft Windows. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Windows process launch logs, and configure Splunk.
At a very high level, common ranges are:
- Workstation: 4-6 MB/day (Including Application, System, and Security Logs)
- Application Servers: 25-50 MB/day
- Domain Controllers: 50-500 MB/day depending on the number of users
For Process Launch Logs (Event ID 4688), the expected volume can vary based on how many new processes spin up, but the variation is generally minor. Event ID 4688 is considered to provide excellent value in security logging.
Usually the first thing people will see when deploying audit policies is either new systems showing up in Splunk, or at least an increase in system log messages. If you already have some logs coming in and want to validate that you’re getting the new ones, look for the delta between your old policy and your new one, and google “Windows Event ID” – that will usually give you something specific to search for (though you may have to go take the action that gets logged, if it’s less common). An easy example is “Windows Process Creation Event ID” which quickly nets you “Event ID 4688” as the first result.