Windows Audit Policies
Windows related audit policies that need to be implemented in order to generate the events that power our detection rules. It serves as a centralized view of the policies we use so you don't need to go through every rule to know the different audit policies required.
Audit Policies:
- Audit Authorization Policy Change
- Audit Computer Account Management
- Audit Detailed File Share
- Audit Directory Service Access
- Audit Directory Service Changes
- Audit Filtering Platform Connection
- Audit Filtering Platform Packet Drop
- Audit Handle Manipulation
- Audit Logon
- Audit Other Object Access Events
- Audit Policy Change
- Audit Process Creation and Command Line
- Audit Security Group Management
- Audit Security System Extension
- Audit Sensitive Privilege Use
- Audit Special Logon
- Audit Token Right Adjusted Events
- Audit User Account Management
- Audit Powershell Script Block Logging
Caution: The following guides provide minimal configuration examples designed to enable specific Sysmon Event IDs. Collecting Sysmon events without a tailored configuration for your environment will cause high data volume and potentially high CPU-load, and these setup instructions require significant tuning to be production-ready.
To build an efficient and production-ready configuration, we strongly recommend exploring these community resources:
For a production-ready and more integrated solution that is designed to work with our detection rules and also provide native Endpoint Protection and Response, check out Elastic Endpoint Security.
- Sysmon Event ID 1: Process Creation
- Sysmon Event ID 2: File Creation Time Changed
- Sysmon Event ID 3: Network Connection
- Sysmon Event ID 7: Image Loaded
- Sysmon Event ID 8: Create Remote Thread
- Sysmon Event ID 10: Process Accessed
- Sysmon Event ID 11: File Create
- Sysmon Event IDs 12, 13, 14: Registry Events
- Sysmon Event IDs 17, 18: Named Pipe Events
- Sysmon Event IDs 19, 20, 21: WMI Events
- Sysmon Event ID 22: DNS Query
- Sysmon Event ID 23: File Delete