Integrations

Disclaimer: This information is based on the recommended settings from Microsoft for computers that are not known to be under active, successful attack by determined adversaries or malware. Furthermore, Perch provides no warranty or certification for the following recommendations, you assume all risks and liability arising from or relating to the use of and reliance upon this document guidance. As always, consult with your own legal, regulatory and industry-based guidance for a properly configured log policy.

Perch’s capability to provide actionable information and event notifications through its Security Information & Event Management (SIEM) component does rely on properly configured audit logging. Creating and enforcing a standard audit logging policy can be done through Microsoft’s Active Directory via Group Policy Objects (GPO). See the following Microsoft article for more information about creating GPO’s: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-a-group-policy-object

This article will focus on the specific audit logging configurations for both Windows Servers and Workstations

Server Audit Logging

Below are the recommended audit logging configurations for Windows Servers:

Audit Credential Validation: Success, Failure

Audit Kerberos Authentication Service: Success, Failure

Audit Kerberos Service Ticket Operations: Success, Failure

Audit Other Account Logon Events: Success, Failure

Audit Computer Account Management: Success, Failure

Audit Other Account Management Events: Success, Failure

Audit Security Group Management: Success, Failure

Audit User Account Management: Success, Failure

Audit DPAPI Activity: Success, Failure

Audit Process Creation: Success, Failure

Audit Directory Service Access (DC only): Success, Failure

Audit Directory Service Changes (DC only): Success, Failure

Audit Account Lockout: Success

Audit Logoff: Success

Audit Logon: Success, Failure

Audit Other Logon/Logoff Events: Success, Failure

Audit Special Logon: Success, Failure

Audit Audit Policy Change: Success, Failure

Audit Authentication Policy Change: Success, Failure

Audit MPSSVC Rule-Level Policy Change: Success

Audit IPsec Driver: Success, Failure

Audit Security State Change: Success, Failure

Audit Security System Extension: Success, Failure

Audit System Integrity: Success, Failure

Windows Workstation Audit Logging

Below are the recommended audit logging configurations for Windows Workstations:

Audit Policy Recommended Logging

Audit Credential Validation: Success, Failure

Audit Kerberos Authentication Service: Success, Failure

Audit Kerberos Service Ticket Operations: Success, Failure

Audit Other Account Logon Events: Success, Failure

Audit Computer Account Management: Success, Failure

Audit Other Account Management Events: Success, Failure

Audit Security Group Management: Success, Failure

Audit User Account Management: Success, Failure

Audit DPAPI Activity: Success, Failure

Audit Process Creation: Success, Failure

Audit Account Lockout: Success

Audit Logoff: Success

Audit Logon: Success, Failure

Audit Special Logon: Success, Failure

Audit Audit Policy Change: Success, Failure

Audit Authentication Policy Change: Success, Failure

Audit MPSSVC Rule-Level Policy Change: Success

Audit IPsec Driver: Success, Failure

Audit Security State Change: Success, Failure

Audit Security System Extension: Success, Failure

Audit System Integrity: Success, Failure

Again, this information is based on Microsoft recommendations for strong audit logging policies. Perch customers are welcome to log any audit items that they feel provide relevant and actionable information for their environment.

If you have any questions regarding the recommended audit logging policies listed above, please feel free to contact the Perch Support Team at help@perchsecurity.com