Source: Security Blogs | Splunk Author: unknown URL: https://www.splunk.com/en_us/blog/security/windows-audit-policy-guide.html

ONE SENTENCE SUMMARY:

Configuring Windows Advanced Audit Policies effectively balances log volume and relevance, leveraging data-driven strategies and MITRE ATT&CK alignment for optimal threat detection.

MAIN POINTS:

1. Windows event logs are essential but default logging lacks depth for detecting sophisticated threats.
2. Windows Advanced Audit Policies provide granular control over security event logging.
3. Advanced Audit Policies split broad categories into detailed subcategories for precise monitoring.
4. Effective configuration involves balancing event volume, relevance, and system overhead.
5. The Splunk Threat Research Team compiled Event ID mappings to simplify auditing configurations.
6. Excessive logging can overwhelm SIEM solutions, increase costs, and burden analysts.
7. STRT adopted a data-driven approach, analyzing official Microsoft and third-party guidelines.
8. Event volume data varies by installed roles, features, and configured System Access Control Lists (SACLs).
9. Certain subcategories require additional setup, registry edits, or reboots to function properly.
10. Mapping Windows Event IDs to MITRE ATT&CK techniques helps prioritize critical security events.

TAKEAWAYS:

1. Prioritize auditing configurations by aligning them to MITRE ATT&CK techniques and threat actor TTPs.
2. Use STRT’s Event ID mapping resources to streamline and optimize your auditing strategy.
3. Consider additional configuration requirements for certain audit subcategories to ensure proper logging.
4. Evaluate event volume and relevance carefully to avoid overwhelming security monitoring systems.
5. Leverage industry guidelines and real-world incident data to inform decisions on audit policy settings.