BluSapphire
  • 01_Introduction
  • 02_Unified Cyber Defense Platform
  • 03_The Stack
  • 04_Features and capabilities
  • 05_Operations
  • 06_Architecture
    • Architecture - Version 3
    • Architecture - Version 4
  • 07_Integration
    • Cisco pxGrid Integration
    • Threat Intel Sources
  • 08_Use cases
    • SIGMA Rules
      • SIGMA Detection Attributes
      • Understanding SIGMA Rule
      • Creating SIGMA Rule
  • 09_CaseHub
    • Events
    • Cases
      • Case-Templates
    • Event-Rules
    • Reflex Query Language (RQL)
    • Input Configuration
      • Credentials
      • Agents
      • Field Templates
  • 10_Active-Defense-Services
    • Services (ADS - LIADS)
      • Network Services
      • Database Services
      • Web-Apps
    • Tokens (ADS - Tokens)
  • 11_Data-Pipeline-Manager (DPM)
    • Basic Concepts
    • Getting Started
  • 12_Deployment / Log Forwarding
    • Log Forwarding (on-prem) - How To
      • Fortimanager
      • Fortinet
      • Cisco ASA with FirePOWER services
      • Cisco ASA
      • Cisco VPN 3000 Concentrator
      • Cisco IOS Switch
      • Cisco ASA using ASDM
      • Cisco Router
      • Cisco Sourcefire
      • Cisco Ironport
      • Cisco Nexus Switch
      • Cisco VPN Concentrator
      • NetScreen Firewall
        • Configure/Enable Syslog Messages for Netscreen Firewall device using CLI Console:
      • Palo Alto Firewalls
        • Configure Syslog Monitoring
        • Configure a Syslog server profile
        • Create a log forwarding profile
        • Configure security policy rule action as log forwarding
        • Configure syslog forwarding for System, Config, HIP Match, and Correlation logs
      • Juniper
        • Using J-Web
        • Using CLI
        • Using J-Web
        • Using CLI
        • Configuring to send Syslog Messages directly from Sensor
      • Sonicwall
        • Configuring SonicWALL To Direct Log Streams
        • Configuring SonicWALL Logging Level
      • Checkpoint
        • R80.20
        • R80.10
        • R77.30
      • Blue Coat Proxy Logs
        • To Forward Blue Coat Logs Using Web Interface
        • To Forward Blue Coat Proxy Logs Using CLI
      • Tipping Point
      • FireEye
        • To Forward Fireeye NX Alert Logs
      • UBUNTU
      • CENTOS-RHEL
      • Citrix Access Gateway
      • SYMANTEC AV
      • DarkTrace
      • Nutanix
      • SAP
      • Cisco Meraki Firewall
      • Zoho Vault Integration
      • Zoho Analytics Integration
      • Sophos EDR Integration
      • PowerDMARC Integration
      • Perception Point Integration
      • MS Intune Integration
      • AWS-Cloudtrail & AWS-Cloudwatch integration
      • Dell PowerEdge Log Integration
      • HPE ProLiant DX380 Gen10 Log Integration
      • Lenovo ThinkSystem SR650 Log Integration
      • Aruba-3810M-L3 Switch
      • Cisco HX220C-M5SX Log Integration
      • Aruba-6200F-48-Access Switch
      • Brocade & Ruckus Switch Log Integration
      • Cavera L2 Switch Log Integration
      • CentOS & RHEL Log Integration
      • Cisco L2 Switch Log Integration
      • Cisco L3 Switch Log Integration
      • Dell EMC Switch Log Integration
      • Dell Powervault ME4 & ME5 Series Log Integration
      • HCI_CISCO_HX 240C_M5SX_CIMS(Intersight)
      • IBM AIX Log Integration
      • IBM Storwize Log Integration
      • Lenovo L2 Switch Log Integration
      • Lenovo Think System Storage Log Integration
      • lenovo_think_system_manager_851
      • Netgear M4300 Switch Log Integration
      • Net Gear Ready NAS 314 & Net Gear Ready NAS 428
      • qnap storage log integration
      • Ruckus SmartZone 100 Wi-Fi Controller Log Integration
      • Seqrite Endpoint Security 7.6 Log Integration
      • Suse log integration
      • Ubuntu log integration
      • Vcenter log integration
      • Microsoft SQL DB integration
      • Vios log integration
      • Cisco SF/SG 200 & 300 Series Switches
      • oracle db integration
      • lenovo thinksystem storage
      • F5 BIG-IP Load Balancer (11.x - 17.x)
      • Seqrite 76
      • Seqrite 82
      • Aruba switch log integration
      • Windows FIM
        • FIM Integration with GPO
        • FIM Integration without GPO
      • Sophos Firewall
        • Sophos XG Firewalls Syslog
          • Netflow Configuration To Verify
      • SAP
      • Integrating Forcepoint Web Proxy (or) Email Security
      • MicroAgent - Winlogbeat & Sysmon
        • Deploy Micro-Agent/Sysmon via GPO
        • MicroAgent manual installation
      • Microsoft’s IIS Integration
      • vios log integration
      • aruba switch log integration
      • oracle db integration
      • Cisco SF/SG 200 & 300 Series Switches
      • microsoft sql db integration
      • seqrite 82
      • seqrite 76
      • List of Supported Log Sources
        • 17.x)
    • Cloud Log Forwarding
      • Azure Sentinel
      • AWS Cloud Logs
        • Collecting CloudWatch Logs
        • Collecting Cloudtrail Logs
      • Configuring Mimecast for Log Collection via API
      • Cisco Umbrella
      • Cisco Duo
      • Cisco AMP
      • Cisco CES
      • SOPHOS AV
      • CROWDSTRIKE
      • Microsoft Defender ATP
        • Enable SIEM integration in Microsoft Defender ATP
        • Assign permissions to the WindowsDefenderATPSiemConnector application
    • BluArmour Pre-Deployment Checklist & Roll out Process
    • Deploy BluArmour via SCCM
    • BluGenie GPO for Service Account, WinRM and WMI
    • Mirror / SPAN port configuration
    • Average LogSize by LogSource
    • Windows Package Installation
    • Linux Package Installation
  • 13_MITRE ATT&CK
    • MITRE ATT&CK Coverage by Tactic
    • MITRE ATT&CK Coverage by Technique
    • Rules mapping - MITRE ATT&CK
  • 14_BluArmour Endpoint Protection
    • BluArmour For ICS / AirGapped Networks
  • 15_BluGenie
    • Manual
    • How To Guides
      • BluGenie Intro
      • How To Run
      • How to Use Help
      • Running Localhost & Remote commands
      • Get-BluGenieChildItemList
      • Invoke-BluGenieYara
    • Enable-BluGenieWinRMoverWMI
  • 16_Best Practices
    • Windows Logging Recommendations
      • Windows Security Log recommendations
      • Windows General Log Recommendations
      • Windows Advanced Auditing Recommendations
    • Lateral Movement Logging Recommendations
    • Best Data Sources for Detection
    • Cloud Incident Readiness
  • 17_Threat Hunt
  • 18_Taxonomy
    • Categories
    • Web Security Gateway
    • Cloud AWS
    • Windows
    • Linux
    • Endpoint Detection
    • NGFW (Firewalls)
    • Email Gateway Security
    • Network Access Control
    • Auth (IDAM)
    • Alert Data
    • Web Security Gateway
    • Endpoint Protection
    • DHCP
    • Cloud AWS
    • Wireless Access Controllers
    • Windows
    • Load Balancers (LB)
    • Linux
    • Active Defence (Deception)
  • 19_Product Videos
  • 20_M-SOC_Self Service Portal
    • Registering as a Customer (Regulated Entity)
    • Digital Contract Signing Process
      • RACI Matrix
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux Package Installation
    • RPM Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Incident Management Workflow(M-SOC only)
    • Troubleshooting Installs
    • MACOS Package Installation
  • Customer Self Service Portal
    • Registering as a Customer
    • Registering as a Partner
    • Digital Contract Signing Process
    • Updating Billing Information
    • Updating Escalation Matrix
    • Manage Users and Roles
    • Windows Package Installation
    • Linux deb Package Installation
    • Linux rpm Package Installation
    • Frequently Asked Questions (FAQ)
    • Default Log Collection
    • Troubleshooting Installs
  • Appendix A
  • 21_Incident Response
    • Cloud Incident Readiness
Powered by GitBook
On this page
  1. 16_Best Practices
  2. Windows Logging Recommendations

Windows Advanced Auditing Recommendations

Advanced Audit Logging for better visibility using Domain Group Policy (Preferred)

PreviousWindows General Log RecommendationsNextLateral Movement Logging Recommendations

Last updated 1 year ago

As with all security settings, the best practice is to use Group Policy to centrally manage your audit policy. Using local settings can be risky: A group policy could override the local policy settings. Microsoft warns you of this behavior on each policy’s Local Security Setting tab shown below.

To configure audit settings on all domain clients:

· Go to Start Menu → Administrative Tools → Group Policy Management.

· In the left pane, navigate to Forest → Domains → Domain Name. Expand it.

· You can select either ‘Default Domain Policy’ or create a new Group Policy Object.

· Right-click on ‘Default Domain Policy’ or other Group Policy Object.

· Click ‘Edit’ in the context menu. It shows ‘Group Policy Management Editor’.

· Go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies.

· Check Configure the following audit events -> Success -> OK.

Continue to follow similar steps to enable all the settings listed in Appendix A.

Advanced Audit Logging for better visibility – using Local Security Policy

(To be used only if configuring a Domain GPO is not an option)

A Windows system's audit policy determines which type of information about the system you'll find in the Security log. Windows uses nine audit policy categories and 50 audit policy subcategories to give you more-granular control over which information is logged.

Ø Open the Start Menu and type: gpedit.msc

Ø OR use the keyboard shortcut Windows Key + R and type: gpedit.msc in the Run line and hit Enter.

Ø To view a system’s audit policy settings, you can open the MMC Local Security Policy console on the system and drill down to gpedit Group Policy Editor, navigate to Windows Settings >> Security Settings >> Local Policy >> Audit Policy as shown below.

Ø From there, check the boxes to audit successful or failed audit attempts and click OK.

Alternatively, you may also use Auditpol (Command line utility) to determine which subcategories are being audited. If you are performing a baseline of a system, Auditpol gives you the ability to see what is really happening. Take a look at an example of what you will see when you use the auditpol /get /category:* command.

Below are the list of commands that should be run in order to enable the Audit policies using auditpol utility.

:: CAPTURE THE SETTINGS - BEFORE they have been modified

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /get /category:* > AuditPol_BEFORE_%computername%.txt

::

:: To Track Account Logon Activities

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

Auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable

Auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable

Auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable

::

:: To Track Account Management

:: ------------------------------------------------------------------------------------------------------------------------------

:: Sets - the entire category - Auditpol /set /category:"Account Management" /success:enable /failure:enable

::

Auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable

Auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable

Auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

Auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

Auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

::

:: Detailed Tracking

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

Auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable

Auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable

Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

::

:: To Track Directory Service Access

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable

Auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable

Auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

Auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable

::

:: To Track Logon/Logoff Activities

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Account Lockout" /success:enable /failure:disable

Auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable

Auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable

Auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable

Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable

Auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable

Auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

Auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable

::

:: To Track Object Access

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable

Auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

Auditpol /set /subcategory:"Detailed File Share" /success:enable

:: Note: Will generate a lot of events if Files and Reg keys are audited so only audit locations that are not noisy

Auditpol /set /subcategory:"File Share" /success:enable /failure:enable

Auditpol /set /subcategory:"File System" /success:enable /failure:enable

Auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable

::

:: To Track Policy Changes

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

Auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable

Auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable

::

:: Note: Enable if you use Windows Firewall to monitor changes

::

Auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable

Auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable

Auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:disable

:: To Track Privilege Use

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable

Auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable

Auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

:: To Track SYSTEM events

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable

Auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable

Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable

Auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable

:: CAPTURE THE SETTINGS - AFTER they have been modified

:: ------------------------------------------------------------------------------------------------------------------------------

Auditpol /get /category:* > AuditPol_AFTER_%computername%.txt