When configuring Windows to write audit logs for your SIEM, consider the following policies as a way to improve value over volume in your logging. In today's SIEM platforms, space is always a consideration, as is ability to create meaningful alarms. If you are in a SaaS model, then cost matters as well. The following settings for your Audit Policies on servers writing key log files will help you go a long way to being able to get actionable intelligencefromyour current Windows OS.
OSSEC Windows Audit Policy
- Basic vs Advanced Security Policy
- Checking Security Policy (Checking audit policy)
- Win 2003 and Older Accepted settings
Basic vs Advanced Security Policy
Windows Server 2008/Windows Vista and later operating systems introduced more granular auditing settings.
Basic Audit policy in blue, Advanced in Green:
Checking Security Policy (Checking audit policy)
To see what auditing policy is actually set on a machine.
From admin command prompt, you run:
auditpol /get /category:*
Click here to expand...
System Security System Extension No Auditing System Integrity Success and Failure IPsec Driver No Auditing Other System Events Success and Failure Security State Change Success Logon/Logoff Logon Success and Failure Logoff Success Account Lockout Success IPsec Main Mode Success IPsec Quick Mode Success IPsec Extended Mode Success Special Logon Success Other Logon/Logoff Events Success Network Policy Server Success and Failure User / Device Claims Success Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Removable Storage No Auditing Central Policy Staging No Auditing Privilege Use Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Sensitive Privilege Use No Auditing Detailed Tracking Process Creation No Auditing Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Policy Change Authentication Policy Change Success Authorization Policy Change Success MPSSVC Rule-Level Policy Change Success Filtering Platform Policy Change Success Other Policy Change Events Success Audit Policy Change Success Account Management User Account Management Success Computer Account Management Success Security Group Management Success Distribution Group Management Success Application Group Management Success Other Account Management Events Success DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access Success Account Logon Kerberos Service Ticket Operations Success Other Account Logon Events Success Kerberos Authentication Service Success
2012 R2, Win8, Win10 Audit Policy
Starting point with Audit Policies for good OSSEC logs
Feel free to enable as many as you like, though there are ramifications for doing so.
We are looking at Value over Volume here, and this is especially true in the age of SaaS based SIEM models
- Audit File share does add value, but will be VERY high volume on File Servers, enable with caution
- Audit File System will be very verbose during patching
- Note disabled for Windows Firewall
Set to 'No Auditing'. If auditing is enabled for these services, then system will likely overload itself (cpu, network, etc) trying to process and forward logs.
Object Access > Filtering Platform Connection
Detailed Tracking > Process Termination
Detailed Tracking > Process Creation
Do NOT enable these (there are scenarios where we can, but we will start with these off as they can affect the server
Win 2003 and Older Accepted settings
This is our default auditing policy to help prevent rapid log bloat. As we are off-loading all of the logs to our AlienVault server, these settings help prevent both the cpu from being overutilized by the OSSEC process that sends these logs to AlienVault and the internet connection from getting saturated. The key settings that should be set to "No auditing" are Audit object access and Audit process tracking.
DO NOT ENABLE OBJECT ACCESS ON Win 2003 and Older