Program

/

CODE BLUE 2025

Time Table

Mind the Gaps: Detecting What You Miss in Windows Event Logs (and Fixing It!)

DAY 2

11:00-11:40

Windows Event Logs play a critical role in DFIR. However, default audit settings often lead to detection blind spots due to limited log sizes, insufficient policies, and short retention.

We present two open-source tools that help defenders assess and improve Windows Event Log audit settings for stronger threat detection and forensic readiness.

WELA is a PowerShell-based tool that audits current settings against industry best practices and real-world Sigma rule coverage. By leveraging over 4,000 Sigma rules, it reveals what threats can or cannot be detected and supports multiple audit guide.

EventLog-Baseline-Guide is a Streamlit-based web application for visualizing differences in audit policies across baseline guides. It uses intuitive color coding and maps audit settings to Sigma rule coverage by log source and event type.

Together, these tools empower security teams to close visibility gaps in Windows logging and make informed, data-driven improvements to their DFIR posture.

  • Location :

    • Track 3(Room 3)

  • Category :

    • Bluebox

  • Share :

Speakers

  • 高橋 福助 の写真

    Fukusuke Takahashi

    高橋 福助

    Fukusuke Takahashi has been with NTTDATA-CERT (the CSIRT of NTT DATA Group Corporation) since 2018, specializing in IR, OSINT, and SOAR. He is one of the developers of Yamato Security’s open-source tools Suzaku, Hayabusa, Takajo, and WELA. He enjoys fixing bugs and hunting vulnerabilities in open-source Blue Team tools, and has published multiple CVEs. He has presented at conferences such as the FIRST Annual Conference, SECCON, BSides Tokyo, HackFes, HITCON CMT, SecTor, AUSCERT and Black Hat USA Arsenal.

  • 田中ザック の写真

    Zach Mathis

    田中ザック

    Graduated from Purdue University with dual degrees in Computer Science and East Asian studies, Zach is a trailblazing security professional in Japan. Founding a security team and delivering various services from pen-testing to DFIR since 2006, he’s a rare non-Japanese specialist in Japan, leading major corporate security for two decades. A popular speaker since 2007 and founder of the Yamato Security community, he's contributed to top security guides and competitions. When not teaching or working in the field, he creates free DFIR tools such as Hayabusa, Takajo, WELA and Suzaku. His bilingual proficiency bridges cultural gaps, making him a unique force in cybersecurity education.
    Born in Indiana, USA.
    Self-studying IT, security and Japanese since junior high school (1990-).
    While in high school, he was awarded top prizes from Intel, the US Air Force and the US Navy for his research on password cracking, making a name for himself in the field of security.
    Graduated from Purdue University in 2005 with a major in Southeast Asian Studies and Computer Science, and joined Kobe Digital Labs (KDL) in 2006.
    At KDL, he launched security-related services such as web diagnostics, smartphone diagnostics, penetration testing, email training, forensic investigations, and incident response.
    He established a security team (Proactive Defense) within the company and is also committed to training the next generation.
    From 2007 to 2010, he worked as a TA and researcher for all courses at Carnegie Mellon University Japan (CMUJ), a prestigious institution in the security field.
    Since 2008, he has given talks at various events, including famous security conferences overseas, and since 2014, he has participated in the management of the domestic security contest "SECCON".
    Since 2012, he has hosted the hands-on security study group "Yamato Security," which has been popular among many security engineers, and is committed to training security personnel.
    Since 2017, he has been localizing SANS' most popular course 504 (Incident Response and Introduction to Hackers) into Japanese and serving as a lecturer.
    In Japan, he has served as a lecturer for CMUJ, SANS, JNSA, KIIS, IPA, Kagoshima Prefecture Cyber Security Council, Kobe 078, private training for critical infrastructure, and industry-government-academia collaboration courses, and has produced many security professionals. His activities are not limited to Japan, and he has experience as a security lecturer in countries such as the United States, the Philippines, Thailand, Laos, Cambodia, and Myanmar, and he plans to give lectures around the world in Kuwait, Hong Kong, India, Australia, and other countries in the future. He is prepared for unforeseen circumstances and strives to do his best to teach security technology in any environment.
    He currently holds numerous certifications, including GCFA (Forensic Investigation Analyst), GCIA (Intrusion Detection Analyst), GWAS (Web Application Security), GCIH (Incident Handler), GCED (Enterprise Defender), GCWN (Windows Security Administrator), GPEN (Penetration Tester), GMON (Security Monitoring), and GREM (Malware Analysis), and is researching security on new technologies every day.
    He also posts daily security news, advice, and the latest technology information on X(formerly Twitter) @yamatosecurity.