HomeSupercharger KBHow ToCollecting Process Start Events (4688) Without the Noise

5.2. Collecting Process Start Events (4688) Without the Noise

If everyone monitored security event ID 4688 (New process) on each computer, we would know within seconds whenever a EXE showed up on the network. If we knew that, we would be able to stop so many more intrusions – so much sooner in the process – before damage is done.  This one security measure would catch so many ransomware, APT and information theft attacks.

Sound like a lot of work? It was, before Supercharger…

In 5 minutes Supercharger can configure Windows Event Collection so that your endpoints start sending this to a central Windows event collector. Which you then monitor with the SIEM of your choice. No agents, no polling, no remote access credentials to setup, no firewall rules to configure. It just works.

Worried that collecting every process start event from every Windows system would be overwhelming?  Turn on Supercharger’s built-in Common System Process noise filter and suddenly all those endpoints reduce traffic to a fraction. That’s because the lion’s share of process start events (4688) are just noise in terms of attack detection. We know for instance that Windows runs C:\Windows\System32\svchost.exe all the time. As long as the Logon ID is 0x3e7 there’s really no point in analyzing the event.

Supercharger was designed by Randy Franklin Smith – no one knows the Windows Security Log better – and you get to leverage his knowledge built-in to Supercharger. Check out this video where Randy demonstrates the steps in less than 7 minutes.

You might need to right-click and select Play or Show Controls on the video below.

This page was: Helpful | Not Helpful
How to Find Frequently Ran EXEs Causing Event ID 4688 Noise After installation Supercharger displays "Please provide credentials to an existing Supercharger database or location where a new Supercharger database will be created"