Configure audit policies for Windows event logs
Microsoft Defender for Identity detection relies on specific Windows Event log entries to enhance detections and provide extra information on the users who performed specific actions, such as NTLM logons and security group modifications.
For the correct events to be audited and included in the Windows Event Log, your domain controllers require specific Windows server Advanced Audit Policy settings. Misconfigured Advanced Audit Policy settings can cause gaps in the Event Log and incomplete Defender for Identity coverage.
This article describes how to configure your Advanced Audit Policy settings as needed for a Defender for Identity sensor, and other configurations for specific event types.
For more information, see What is Windows event collection for Defender for Identity and Advanced security audit policies in the Windows documentation.
Configure auditing for domain controllers
When working with a domain controller, you'll need to update your Advanced Audit Policy settings and extra configurations for specific events and event types, such as users, groups, computers, and more. Audit configurations for domain controllers include:
Configure Advanced Audit Policy settings
This procedure describes how to modify your domain controller's Advanced Audit Policies as needed for Defender for Identity.
Sign in to the server as Domain Administrator.
Open the Group Policy Management Editor from Server Manager > Tools > Group Policy Management.
Expand the Domain Controllers Organizational Units, right-click Default Domain Controllers Policy, and then select Edit. For example:
Note
Use the Default Domain Controllers Policy or a dedicated GPO to set these policies.
From the window that opens, go to Computer Configuration > Policies > Windows Settings > Security Settings and depending on the policy you want to enable, do the following:
Go to Advanced Audit Policy Configuration > Audit Policies. For example:
Under Audit Policies, edit each of the following policies and select Configure the following audit events for both Success and Failure events.
Audit policy Subcategory Triggers event IDs Account Logon Audit Credential Validation 4776 Account Management Audit Computer Account Management 4741, 4743 Account Management Audit Distribution Group Management 4753, 4763 Account Management Audit Security Group Management 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758 Account Management Audit User Account Management 4726 DS Access Audit Directory Service Changes 5136 System Audit Security System Extension 7045 DS Access Audit Directory Service Access 4662 - For this event, you must also configure domain object auditing. For example, to configure Audit Security Group Management, under Account Management, double-click Audit Security Group Management, and then select Configure the following audit events for both Success and Failure events:
From an elevated command prompt, type
gpupdate.After applying the policy via GPO, the new events are visible in the Event Viewer, under Windows Logs -> Security.
Alternatively, verify your audit policy via the command line. Run:
auditpol.exe /get /category:*
Configure NTLM auditing
This section describes the extra configuration steps needed to audit Event ID 8004.
Note
- Domain group policies to collect Windows Event 8004 should only be applied to domain controllers.
- When Windows Event 8004 is parsed by Defender for Identity Sensor, Defender for Identity NTLM authentications activities are enriched with the server accessed data.
Following the initial steps, open Group Policy Management and go to the Default Domain Controllers Policy > Local Policies > Security Options.
Under Security Options, configure the specified security policies as follows:
Security policy setting Value Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enable auditing for all accounts
For example, to configure Outgoing NTLM traffic to remote servers, under Security Options, double-click Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, and then select Audit all:
Configure domain object auditing
To collect events for object changes, such as event 4662, you must also configure object auditing on the user, group, computer, and other objects. This procedure describes how to enable auditing in the Active Directory domain.
Important
Make sure to review and verify your audit policies before enabling event collection to ensure that the domain controllers are properly configured to record the necessary events. If configured properly, this auditing should have minimal effect on server performance.
Go to the Active Directory Users and Computers console.
Select the domain you want to audit.
Select the View menu and select Advanced Features.
Right-click the domain and select Properties. For example:
Go to the Security tab, and select Advanced. For example:
In Advanced Security Settings, select the Auditing tab and then select Add. For example:
Select Select a principal. For example:
Under Enter the object name to select, enter Everyone and select Check Names > OK. For example:
You'll then return to Auditing Entry. Make the following selections:
For Type select Success.
For Applies to select Descendant User objects.
Under Permissions, scroll down and select the Clear all button. For example:
Scroll back up and select Full Control. All the permissions are selected.
Clear the selection for the List contents, Read all properties, and Read permissions permissions, and select OK. This sets all the Properties settings to Write. For example:
Now, when triggered, all relevant changes to directory services appear as
4662events.
Repeat the steps in this procedure, but for Applies to, select the following object types:
- Descendant Group Objects
- Descendant Computer Objects
- Descendant msDS-GroupManagedServiceAccount Objects
- Descendant msDS-ManagedServiceAccount Objects
Note
Assigning the auditing permissions on the All descendant objects would work as well, but we only require the object types as detailed above.
Configure auditing on an Active Directory Federation Services (AD FS)
Go to the Active Directory Users and Computers console, and select the domain you want to enable the logs on.
Go to Program Data > Microsoft > ADFS. For example:
Right-click ADFS and select Properties.
Go to the Security tab and select Advanced > Advanced Security Settings > Auditing tab > Add > Select a principal.
Under Enter the object name to select, enter Everyone.
Select Check Names > OK.
You'll then return to Auditing Entry. Make the following selections:
- For Type select All.
- For Applies to select This object and all descendant objects.
- Under Permissions, scroll down and select Clear all. Scroll up and select Read all properties and Write all properties.
For example:
Select OK.
Configure auditing for Active Directory Certificate Services (AD CS)
If you're working with a dedicated server with Active Directory Certificate Services (AD CS) configured, make sure to configure auditing as follows to view dedicated alerts and Secure Score reports:
Create a group policy to apply to your AD CS server. Edit it and configure the following auditing settings:
Go to and double select Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Certification Services.
Select to configure audit events for Success and Failure. For example:
Configure auditing on the certificate authority (CA) using one of the following methods:
To configure CA auditing using the command line, run:
certutil –setreg CA\AuditFilter 127 net stop certsvc && net start certsvcTo Configure CA auditing using the GUI:
Select Start -> Certification Authority (MMC Desktop application). Right-click your CA's name and select Properties. For example:
Select the Auditing tab, select all the events you want to audit, and then select Apply. For example:
Configure auditing on the configuration container
Open ADSI Edit by selecting Start > Run. Enter
ADSIEdit.mscand select OK.On the Action menu, select Connect to.
In the Connection Settings dialog box under Select a well known Naming Context, select Configuration > OK.
Expand the Configuration container to show the Configuration node, beginning with “CN=Configuration,DC=..."
Right-click the Configuration node and select Properties. For example:
Select the Security tab > Advanced.
In the Advanced Security Settings, select the Auditing tab > Add.
Select Select a principal.
Under Enter the object name to select, enter Everyone and select Check Names > OK.
You'll then return to Auditing Entry. Make the following selections:
- For Type select All.
- For Applies to select This object and all descendant objects.
- Under Permissions, scroll down and select Clear all. Scroll up and select Write all properties.
For example:
Select OK.
Legacy configurations
Important
Defender for Identity no longer requires logging 1644 events. If you have this registry setting enabled, you can remove it.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics]
"15 Field Engineering"=dword:00000005
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"Expensive Search Results Threshold"=dword:00000001
"Inefficient Search Results Threshold"=dword:00000001
"Search Time Threshold (msecs)"=dword:00000001
Related content
For more information, see Windows security auditing.
Next step
Feedback
Submit and view feedback for