Source: Security Blogs | Splunk Author: unknown URL: https://www.splunk.com/en_us/blog/security/windows-audit-policy-guide.html
-
ONE SENTENCE SUMMARY: Configuring Windows Advanced Audit Policies effectively balances log volume and relevance, leveraging data-driven strategies and MITRE ATT&CK alignment for optimal threat detection.
-
MAIN POINTS:
-
Windows event logs are essential but default logging lacks depth for detecting sophisticated threats.
-
Windows Advanced Audit Policies provide granular control over security event logging.
-
Advanced Audit Policies split broad categories into detailed subcategories for precise monitoring.
-
Effective configuration involves balancing event volume, relevance, and system overhead.
-
The Splunk Threat Research Team compiled Event ID mappings to simplify auditing configurations.
-
Excessive logging can overwhelm SIEM solutions, increase costs, and burden analysts.
-
STRT adopted a data-driven approach, analyzing official Microsoft and third-party guidelines.
-
Event volume data varies by installed roles, features, and configured System Access Control Lists (SACLs).
-
Certain subcategories require additional setup, registry edits, or reboots to function properly.
-
Mapping Windows Event IDs to MITRE ATT&CK techniques helps prioritize critical security events.
-
TAKEAWAYS:
-
Prioritize auditing configurations by aligning them to MITRE ATT&CK techniques and threat actor TTPs.
-
Use STRT’s Event ID mapping resources to streamline and optimize your auditing strategy.
-
Consider additional configuration requirements for certain audit subcategories to ensure proper logging.
-
Evaluate event volume and relevance carefully to avoid overwhelming security monitoring systems.
-
Leverage industry guidelines and real-world incident data to inform decisions on audit policy settings.