Skip to main content
 
 
 
Splunk Lantern

Configuring Windows security audit policies for Enterprise Security visibility

 

In order to use Splunk Enterprise Security effectively for security monitoring on Windows computers, it's important to set up detailed audit policies.

Windows advanced security audit policies are a granular audit logging configuration delivered via group policy to all the Windows workstations and servers within an Active Directory environment. The audit policies ensure that an adequate audit trail of activity is logged whenever particular actions occur; in other words, the event codes that drive many Splunk Enterprise Security detections rely on the audit policy configuration on each of the Windows hosts. Without audit policies configured, Splunk Enterprise Security will be blind to many different types of adversary activities.

In the default configuration, many of these policies are disabled. Following these audit policy recommendations provides a solid baseline to build a robust detection suite.

Baseline audit policy recommendations

Account logon

Audit Credential Validation

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4774, 4775, 4776, 4777
  • Associated Analytic Stories:

Audit Kerberos Authentication Service

Audit Kerberos Service Ticket Operations

Account Management

Audit Computer Account Management

Audit Security Group Management

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4731, 4732, 4733, 4734, 4735. 4764, 4799
  • Associated Analytic Stories:

Audit User Account Management

Detailed tracking

Audit Process Creation

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4688, 4696
  • Associated Analytic Stories:
  • Additional Notes: The Command line process auditing GPO is required to enable command line logging; a prerequisite for use with the endpoint.processes CIM datamodel.

DS access

Audit Directory Service Access

Audit Directory Service Changes

Logon/Logoff

Audit Account Lockout

Audit Logoff

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4634, 4647

Audit Logon

Audit Other Logon/Logoff Events

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633

Audit Special Logon

Object access

Audit Certification Services

  • Device Scope: AD / CS Servers Only
  • Logging Condition: Success & Failure
  • Event Codes: 4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886, 4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898
  • Associated Analytic Stories:

Audit Other Object Access Events

Policy change

Audit Audit Policy Change

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4902, 4907, 4904, 4905, 4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905
  • Associated Analytic Stories:

Audit Authentication Policy Change

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4670, 4706, 4707, 4716, 4713, 4717, 4718, 4739, 4864, 4865, 4866, 4867

Audit Authorization Policy Change

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4703, 4704, 4705, 4670, 4911, 4913

Advanced audit policy recommendations

Logon/Logoff

Audit Group Membership

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4627

Object Access

Audit Detailed File Share

Audit File Share

Audit File System

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670
  • Additional Notes: A file system SACL needs to be applied to enable auditing to trigger these events. This GPO should be enabled with a targeted approach as it can generate high volumes of noise.

 Audit Registry

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4663, 4656, 4658, 4660, 4657, 5039, 4670
  • Additional Notes: A registry key SACL needs to be applied to enable auditing to trigger these events. This GPO should be enabled with a targeted approach as it can generate high volumes of noise.

Audit Removable Storage

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4656, 4658, 4663

Policy change

Audit Filtering Platform Connection

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Failure
  • Event Codes: 5031, 5150, 5151, 5155, 5157, 5159

Audit MPSSVC Rule-Level Policy Change

  • Scope: Success & Failure
  • Event Codes: 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958

Audit Other Policy Change Events

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Failure
  • Event Codes: 4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145

Privilege use

Audit Sensitive Privilege Use

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4673, 4674, 4985

System

Audit Other System Events

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409

Audit Security State Change

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4608, 4616, 4621

Audit Security System Extension

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success
  • Event Codes: 4610, 4611, 4614, 4622, 4697

Audit System Integrity

  • Device Scope: Domain Controllers, Member Servers, Workstations
  • Logging Condition: Success & Failure
  • Event Codes: 4612, 4615, 4618, 4816, 5038, 5056, 5062, 5057, 5060, 5061, 6281, 6410