Had a slightly eye-opening experience recently around logging process creation events, Event ID 4688. In particular, the Detailed Tracking command line component (This is mostly a vent and I’m not offering anything new or particularly intelligent).
It’s really easy in 2023 to assume an environment with a modern(ish) fleet of servers and performance that enabling 4688 and detailed tracking is an exercise in checking boxes for easy endpoint visibility in your SIEM. But, turns out, if you have:
- A larger-by-default event log size (A good thing!)
- You’re keeping exhausted event logs on disk for an extended period of time (also a good thing!)
- You turn on PowerShell transcription and Script Block Logging at the same time (a very good thing!)
You have a non-zero chance of creating some real headaches for the IT Operations team. Disks
