Skip to content
Home » SIEM Tuning Insights » Windows Audit Policy Recommendations

Windows Audit Policy Recommendations

Windows Audit Policy Recommendations & Event Codes

Windows Audit Policy Recommendations used to be difficult to find on Microsoft’s multiple websites, but look no further.

Windows Audit Policy is vital for proper windows security. It can be a daunting task if you do not know how to identify which security events to monitor. Thankfully, Windows has compiled this information.  The link below takes you to the list of Windows Event Codes. You will want to ensure you are ingesting and monitoring these or a subset of these.

SIEM Tune’s Security Best Practices – Microsoft Windows Audit Policies

SIEM Tune’s Security Best Practices -Windows Event Codes

An admin should open the Group Policy Editor for a group policy that covers any computer accounts that are in scope for monitoring. More than likely a large organization will have dedicate professionals to handle this, but this will help you create “The Ask”. Remember that Microsoft recommends Servers and Workstations typically log different event types, but when in doubt more visibility is better then less and it can be tuned down once the logs are being reviewed.

Below is a quick “How To” configure group policy

Group Policy Configurations Overview

  1. Open group policy manager mmc.exe
  2. Add the Group policy snap-in
    1. Under File
  3. Select or create a policy that applies to your systems and right click to edit the policy
  4. Drill into the policy and edit. Please refer to SIEM Tune’s Security Best Practices – Microsoft Windows Audit Policies lComputer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configurations > Audit Policy
  5. Go thru the Microsoft document to implement their recommendations for strong Audit Policies
  6. Replication of Global Policies must happen before the changes will be in effect.  this can be sped up by forcing the with repadmin command for DS and locally with gpupdate /force

Hope this helps! Thanks for visiting SIEMtune.com Happy Hunting.

JT

Check out our other SIEM security content

Leave a Reply

Your email address will not be published. Required fields are marked *