Configuring Windows security audit policies for Enterprise Security visibility
In order to use Splunk Enterprise Security effectively for security monitoring on Windows computers, it's important to set up detailed audit policies.
Windows advanced security audit policies are a granular audit logging configuration delivered via group policy to all the Windows workstations and servers within an Active Directory environment. The audit policies ensure that an adequate audit trail of activity is logged whenever particular actions occur; in other words, the event codes that drive many Splunk Enterprise Security detections rely on the audit policy configuration on each of the Windows hosts. Without audit policies configured, Splunk Enterprise Security will be blind to many different types of adversary activities.
In the default configuration, many of these policies are disabled. Following these audit policy recommendations provides a solid baseline to build a robust detection suite.
Baseline audit policy recommendations
Account logon
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4774, 4775, 4776, 4777
- Associated Analytic Stories:
Audit Kerberos Authentication Service
- Device Scope: Domain Controllers
- Logging Condition: Success & Failure
- Event Codes: 4768, 4771, 4772
- Analytic Stories:
Audit Kerberos Service Ticket Operations
- Device Scope: Domain Controllers
- Logging Condition: Success & Failure
- Event Codes: 4769, 4770, 4773
- Analytic Stories:
Account Management
Audit Computer Account Management
- Device Scope: Domain Controllers
- Logging Condition: Success
- Event Codes: 4741, 4742, 4743
- Associated Analytic Stories:
Audit Security Group Management
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4731, 4732, 4733, 4734, 4735. 4764, 4799
- Associated Analytic Stories:
Audit User Account Management
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4781, 4794, 4798, 5376, 5377
- Associated Analytic Stories:
Detailed tracking
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4688, 4696
- Associated Analytic Stories:
- Too many to list (EventCode 4688 maps to Endpoint.Processes datamodel)
- Additional Notes: The Command line process auditing GPO is required to enable command line logging; a prerequisite for use with the endpoint.processes CIM datamodel.
DS access
Audit Directory Service Access
- Device Scope: Domain Controllers
- Logging Condition: Success & Failure
- Event Codes: 4661, 4662
- Associated Analytic Stories:
- Additional Notes: AD auditing SACL required to trigger these Events.
Audit Directory Service Changes
- Device Scope: Domain Controllers
- Logging Condition: Success
- Event Codes: 5136, 5137, 5138, 5139, 5141
- Associated Analytic Stories:
- Additional Notes: AD auditing SACL required to trigger these Events.
Logon/Logoff
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Failure
- Event Codes: 4625
- Associated Analytic Stories:
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4634, 4647
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4624, 4625, 4648, 4675
- Associated Analytic Stories:
Audit Other Logon/Logoff Events
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632, 5633
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4964, 4672
- Associated Analytic Stories:
Object access
- Device Scope: AD / CS Servers Only
- Logging Condition: Success & Failure
- Event Codes: 4868, 4869, 4870, 4871, 4872, 4873, 4874, 4875, 4876, 4877, 4878, 4879, 4880, 4881, 4882, 4883, 4884, 4885, 4886, 4887, 4888, 4889, 4890, 4891, 4892, 4893, 4894, 4895, 4896, 4897, 4898
- Associated Analytic Stories:
Audit Other Object Access Events
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4671, 4691, 5148, 5149, 4698, 4699, 4700, 4701, 4702, 5888, 5889, 5890
- Associated Analytic Stories:
Policy change
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4902, 4907, 4904, 4905, 4715, 4719, 4817, 4902, 4906, 4907, 4908, 4912, 4904, 4905
- Associated Analytic Stories:
Audit Authentication Policy Change
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4670, 4706, 4707, 4716, 4713, 4717, 4718, 4739, 4864, 4865, 4866, 4867
Audit Authorization Policy Change
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4703, 4704, 4705, 4670, 4911, 4913
Advanced audit policy recommendations
Logon/Logoff
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4627
Object Access
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 5145
- Associated Analytic Stories:
- Additional Notes: This may lead to large volumes of noise; post review is recommended
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 5140, 5142, 5143, 5144, 5168
- Associated Analytic Stories:
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4656, 4658, 4660, 4663, 4664, 4985, 5051, 4670
- Additional Notes: A file system SACL needs to be applied to enable auditing to trigger these events. This GPO should be enabled with a targeted approach as it can generate high volumes of noise.
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4663, 4656, 4658, 4660, 4657, 5039, 4670
- Additional Notes: A registry key SACL needs to be applied to enable auditing to trigger these events. This GPO should be enabled with a targeted approach as it can generate high volumes of noise.
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4656, 4658, 4663
Policy change
Audit Filtering Platform Connection
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Failure
- Event Codes: 5031, 5150, 5151, 5155, 5157, 5159
Audit MPSSVC Rule-Level Policy Change
- Scope: Success & Failure
- Event Codes: 4944, 4945, 4946, 4947, 4948, 4949, 4950, 4951, 4952, 4953, 4954, 4956, 4957, 4958
Audit Other Policy Change Events
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Failure
- Event Codes: 4714, 4819, 4826, 4909, 4910, 5063, 5064, 5065, 5066, 5067, 5068, 5069, 5070, 5447, 6144, 6145
Privilege use
Audit Sensitive Privilege Use
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4673, 4674, 4985
System
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 5024, 5025, 5027, 5028, 5029, 5030, 5032, 5033, 5034, 5035, 5037, 5058, 5059, 6400, 6401, 6402, 6403, 6404, 6405, 6406, 6407, 6408, 6409
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4608, 4616, 4621
Audit Security System Extension
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success
- Event Codes: 4610, 4611, 4614, 4622, 4697
- Device Scope: Domain Controllers, Member Servers, Workstations
- Logging Condition: Success & Failure
- Event Codes: 4612, 4615, 4618, 4816, 5038, 5056, 5062, 5057, 5060, 5061, 6281, 6410