yamato-security / enablewindowslogsettings Goto Github PK

Please ignore/delete this ...

After testing around with "Detection Lab", I am pretty sure that there MUST be a setting in some policy ... though I cannot find it at the moment.

Hello again

Since I stumbled upon the need to make changes to the audit policy today, I would like to suggest the following:

To easily and quickly import configuration changes, one should insert the command "auditpol /clear /y" before the actual definitions are made. This will reset all previous policies and then you can initiate again.

Extract from the code

:: ...
:: Configure Security log 
:: Note: subcategory IDs are used instead of the names in order to work in any OS language.
:: Clear
:: Before configuring (new) audit policies we reset them to default values
auditpol /clear /y 
:: Account Logon
:: ...

At least, it does no harm. ;-)

Best regards,
Lasse

Hello,

I have noticed the following "inconsistence" in the batch file:

:::: Detailed File Share (disabled due to noise)
auditpol /set /subcategory:{0CCE9244-69AE-11D9-BED3-505054503030} /success:enable /failure:enable

:::: Filtering Platform Packet Drop (disabled due to noise)
auditpol /set /subcategory:{0CCE9225-69AE-11D9-BED3-505054503030} /success:enable /failure:enable

:::: Registry (currently disabled due to noise)
auditpol /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable /failure:enable

:::: MPSSVC Rule-Level Policy Change (currently disabled while testing)
auditpol /set /subcategory:{0CCE9232-69AE-11D9-BED3-505054503030} /success:enable /failure:enable

So maybe you just forgot to disable the command or to modify the comment.
These are not "issues" of course, but I just wanted to report it.

Thank you VERY MUCH for this amazing script!
Lasse

document translate to japanese

2022/09/29 TOC

• Author
• Acknowledgements
• Problems with the default Windows log settings
• Warning: Use at your own risk!
• Important Windows event logs
  • Sigma's top log sources
    • Top sigma log sources
    • Top Security Event IDs
• Increasing the maximum file size
  • Option 1: Manually through Event Viewer
  • Option 2: Windows built-in tool
  • Option 3: PowerShell
  • Option 4: Group Policy
• Configuration script
• Configuring log settings
  • Sysmon log (1382 sigma rules)
  • Security log (1045 sigma rules (903 process creation rules + 142 other rules))
  • Powershell logs (175 sigma rules)
    • Module logging (30 sigma rules)
      • Enabling module logging
        • Option 1: Enabling through group policy
        • Option 2: Enabling through the registry
    • Script Block Logging (134 sigma rules)
      • Enabling Script Block logging
        • Option 1: Enabling through group policy
        • Option 2: Enabling through the registry
    • Transcription logging
      • Enabling Transcription logging
        • Option 1: Enabling through group policy
        • Option 2: Enabling through the registry
    • References
  • System log (55 sigma rules)
  • Application log (16 sigma rules)
  • Windows Defender Operational log (10 sigma rules)
  • Bits-Client Operational log (6 sigma rules)
  • Firewall log (6 sigma rules)
  • NTLM Operational log (3 sigma rules)
  • Security-Mitigations KernelMode and UserMode logs (2 sigma rules)
  • PrintService logs (2 sigma rules)
    • Admin (1 sigma rule)
    • Operational (1 sigma rule)
  • SMBClient Security log (2 sigma rules)
  • AppLocker logs (1 sigma rule)
  • CodeIntegrity Operational log (1 sigma rule)
  • Diagnosis-Scripted Operational log (1 sigma rule)
  • DriverFrameworks-UserMode Operational log (1 sigma rule)
  • WMI-Activity Operational log (1 sigma rule)
  • TerminalServices-LocalSessionManager Operational log (1 sigma rule)
  • TaskScheduler Operational log (1 sigma rule)

Hello,

Just starting to take a deeper look at this amazing project, but stumbled about this:
Is it possible, that you have to change the following commands in your batch file form "/category" to "/subcategory"?
At least I receive corresponding error messages when I try to run them ...

:: Account Management
:::: Computer Account Management
auditpol /set /category:{0CCE9236-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
:::: Other Account Management Events
auditpol /set /category:{0CCE923A-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
:::: Security Group Management
auditpol /set /category:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
:::: User Account Management
auditpol /set /category:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable /failure:enable

Great work anyway! ;-)
Greetings from Germany,
Lasse

I updated ConfiguringSecurityLogAuditPolicies.md on 2022/10/15 but the JP translations still need to be updated.