Potentially incorrect DC audit policy detections about pingcastle HOT 7 CLOSED

It comes straight from https://adsecurity.org/?p=3377, chapter "Domain Controller Events to Monitor (Event Logs)"

Example, 4648 event is indicated coming from "Audit Logon" and from "Audit Other Account Logon Events".

Given my source, can you elaborate?
I don't understand given this source where the problem is.

from pingcastle.

That means adsecurity.org is wrong?

from pingcastle.

Hmm, I'll take a close look once I get the chance. The above however is based off Microsoft's documentation, so something is likely not quite right ...

from pingcastle.

So taking a look at the DC-Events spreadsheet:

• Event 4648 is listed twice with one of the two listings being the correct audit category. So yes, I think this one is a mistake. Either that, or Microsoft's documentation is wrong.
• The recommendation for Event 4908 to enable the Audit policy change category isn't "wrong", but it is redundant if the referenced advanced audit policy category is enabled. The latter is I think generally preferable due to being more fine-grained. As long as one of them is enabled, the referenced event is being recorded, so it's not a security misconfiguration.
• Same as above for the remaining three events.

from pingcastle.

Sorry, it's too late for this release.
The change are not trivial and needs some review which is incompatible with this release timeline

from pingcastle.

That's fine, it just means in some configurations audit policy detections will be incorrect. Let's leave the issue open until it's addressed in the next release?

from pingcastle.

removed for the next version the requirement to have these 3 audit policies

from pingcastle.