[Security Content] Windows Audit Policies Config Guides - Repo Edition

docs/audit-policies/windows/README.md

@@ -0,0 +1,21 @@
+## Windows Audit Policies
+
+This folder contains Windows related audit policies that need to be implemented in order to generate the events that power our detection rules. It serves as a centralized view of the policies we use so you don't need to go through every rule to know the different audit policies required.
+
+Audit Policies:
+
+* [Audit Audit Policy Change](active_directory_audit_audit_policy_change.md)
+* [Audit Authorization Policy Change](active_directory_audit_authorization_policy_change.md)
+* [Audit Detailed File Share](active_directory_audit_detailed_file_share.md)
+* [Audit Directory Service Access](active_directory_audit_directory_service_access.md)
+* [Audit Directory Service Changes](active_directory_audit_directory_service_changes.md)
+* [Audit Handle Manipulation](active_directory_audit_handle_manipulation.md)
+* [Audit Security Group Management](active_directory_audit_security_group_management.md)
+* [Audit Security System Extension](active_directory_audit_security_system_extension.md)
+* [Audit User Account Management](active_directory_audit_user_account_management.md)
+* [Filtering Platform Connection](active_directory_filtering_platform_connection.md)
+* [Special Logon](active_directory_special_logon.md)
+* [Token Right Adjusted Events](active_directory_token_right_adjusted_events.md)
+* [Audit Logon](active_directory_audit_logon.md)
+* [Powershell Script Block Logging](powershell_script_block_logging.md)
+* [Process Creation and Command Line](process_creation_and_command_line.md)

docs/audit-policies/windows/active_directory_audit_audit_policy_change.md

@@ -0,0 +1,29 @@
+## Setup
+
+Certain rules in our ruleset require tracking changes to audit policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into audit policy changes, helping to maintain compliance and security.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Audit Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Audit Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Security Audit Policy Settings >
+Audit Policies >
+Policy Change >
+**Audit Audit Policy Change (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_audit_authorization_policy_change.md

@@ -0,0 +1,29 @@
+## Setup
+
+Certain rules in our ruleset require monitoring changes to authorization policies to detect unauthorized modifications or misconfigurations. Enabling this setting ensures visibility into changes affecting user rights and security policies, helping maintain compliance and security.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Authorization Policy Change` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Authorization Policy Change` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Policy Change >
+**Audit Authorization Policy Change (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_audit_detailed_file_share.md

@@ -0,0 +1,30 @@
+## Setup
+
+Certain rules in our ruleset require monitoring file share access to detect unauthorized access attempts or modifications. Enabling this setting helps improve security visibility and ensures compliance by tracking access to shared files and folders.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit File Share` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit File Share` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Object Access > 
+**Audit File Share (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"File Share" /success:enable /failure:disable
+```

docs/audit-policies/windows/active_directory_audit_directory_service_access.md

@@ -0,0 +1,30 @@
+## Setup
+
+Certain rules in our ruleset require configuring audit policies to generate events when Active Directory objects are accessed. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Access` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Access` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+**Audit Directory Service Access (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Access" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_audit_directory_service_changes.md

@@ -0,0 +1,54 @@
+## Setup
+
+Certain rules in our ruleset require configuring audit policies to generate events when Active Directory objects are modified. These audit policies apply exclusively to Domain Controllers, as other servers do not produce events related to Active Directory object modifications.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Directory Service Changes` on all Domain Controllers via Group Policy, administrators must enable the `Audit Directory Service Changes` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+DS Access > 
+**Audit Directory Service Changes (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
+```
+
+### Additional Settings
+
+The `Audit Directory Service Changes` policy does not cover all objects monitored by our detection rules. To address these gaps, in addition to enabling the audit policy, we must configure additional Access Control Entries (ACEs) using (Set-AuditRule)[https://github.com/OTRF/Set-AuditRule] to ensure proper monitoring.
+
+Below is a list of the Audit Rules included in the ruleset. Modify them to match the Distinguished Names specific to your environment:
+
+Audit changes on the MicrosoftDNS object:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
+```
+
+Audit changes on the msDS-KeyCredentialLink attribute of User objects:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success
+```
+
+Audit changes on the servicePrincipalName attribute of User objects:
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success
+```

docs/audit-policies/windows/active_directory_audit_handle_manipulation.md

@@ -0,0 +1,29 @@
+## Setup
+
+Certain rules in our ruleset require monitoring handle manipulation to detect unauthorized access attempts or suspicious interactions with system objects. Enabling this setting helps improve security visibility by tracking when handles to objects (such as files, registry keys, or processes) are opened or modified.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Handle Manipulation` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Handle Manipulation` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Audit Policy Configuration >
+Audit Policies >
+Object Access >
+**Audit Handle Manipulation (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_audit_security_group_management.md

@@ -0,0 +1,30 @@
+## Setup
+
+Certain rules in our ruleset require monitoring security group management to detect unauthorized changes to user group memberships, which can affect access control and security policies. Enabling this setting ensures visibility into modifications of security groups, helping maintain security and compliance.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Security Group Management` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Security Group Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+Account Management >
+**Audit Security Group Management (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Security Group Management" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_audit_security_system_extension.md

@@ -0,0 +1,30 @@
+## Setup
+
+Certain rules in our ruleset require monitoring security system extensions to detect unauthorized modifications, such as the installation of new system services, drivers, or security-related components. Enabling this setting helps ensure visibility into critical system changes that could impact security and system integrity.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Security System Extension` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Security System Extension` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+System > 
+**Audit Security System Extension (Success)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Security System Extension" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_audit_user_account_management.md

@@ -0,0 +1,30 @@
+## Setup
+
+Certain rules in our ruleset require monitoring user account management activities to detect unauthorized account creations, modifications, or deletions. Enabling this setting ensures visibility into critical account changes, helping maintain security and compliance by tracking administrative actions related to user accounts.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit User Account Management` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit User Account Management` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration > 
+Policies > 
+Windows Settings > 
+Security Settings > 
+Advanced Audit Policies Configuration > 
+Audit Policies > 
+Account Management > 
+**Audit User Account Management (Success,Failure)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"User Account Management" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_filtering_platform_connection.md

@@ -0,0 +1,31 @@
+## Setup
+
+Certain rules in our ruleset require monitoring network connections managed by the Windows Filtering Platform (WFP) to detect unauthorized or suspicious network activity.
+
+**Caution:** Enabling this audit policy generates a high volume of events.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Filtering Platform Connection` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Filtering Platform Connection` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >
+Windows Settings >
+Security Settings >
+Advanced Security Audit Policy Settings >
+Audit Policies >
+Object Access >
+Audit Filtering Platform Connection (Success,Failure)
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
+```

docs/audit-policies/windows/active_directory_special_logon.md

@@ -0,0 +1,30 @@
+## Setup
+
+Certain rules in our ruleset require monitoring special logon events to track privileged account usage. Special logon events indicate that an account with elevated privileges (such as administrators or service accounts) has logged in, helping detect unauthorized access or privilege escalation attempts.
+
+To collect these logs using the [System Integration](https://www.elastic.co/guide/en/integrations/current/system.html), ensure that Security log collection is enabled in the integration configuration.
+
+If your environment uses Windows Event Forwarding (WEF), configure the [Windows Integration](https://www.elastic.co/guide/en/integrations/current/windows.html) and ensure that Forwarded Events log collection is enabled.
+
+### Enable Audit Policy via Group Policy
+
+To enable `Audit Special Logon` across a group of servers using Active Directory Group Policies, administrators must enable the `Audit Special Logon` policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
+
+```
+Computer Configuration >  
+Policies >  
+Windows Settings >  
+Security Settings >  
+Advanced Audit Policies Configuration >  
+Audit Policies >  
+Logon/Logoff >  
+**Audit Special Logon (Success)**
+```
+
+### Enable Locally using auditpol
+
+To enable this policy on a local machine, run the following command in an elevated command prompt:
+
+```
+auditpol.exe /set /subcategory:"TBD" /success:enable /failure:enable
+```