Understanding Windows event logs
Windows event logs are detailed records of events occurring in a Windows operating system, arranged chronologically for easy identification. These logs include both hardware and software events related to the system, security, and applications. By monitoring Windows event logs, network engineers can:
- Track any system failures or errors
- Investigate threats, attacks, or unauthorized activities
- Perform effective diagnoses and resolve system issues
- Foresee future issues based on current event log data
What is Microsoft Defender for Identity?
Formerly known as Azure Advanced Threat Protection (Azure ATP), Microsoft Defender for Identity (MDI) is a cloud-based security solution from Microsoft. It helps organizations monitor identities with high security in both on-premises and hybrid environments. With modern Identity Threat Detection and Response (ITDR), your organization’s security operation teams can prevent, detect, investigate, and respond to data breaches, threats, and attacks. By analyzing user profiles and security reports, MDI provides relevant insights on identity configurations, helping understand identity structures and suggesting best practices to enhance security.
How Microsoft Defender for Identity uses Windows event logs
MDI collects information about system events from Windows event logs to enhance security. For domain controllers to collect these specific events, you need to enable Advanced Audit Policy settings using a group policy.
Steps to enable advanced audit policy
Follow these steps to enable Advanced Audit Policy settings:
- Sign in to a Domain Controller or a server with GPMC access using Domain Administrator credentials.
- Navigate to Server Manager > Tools > Group Policy Management.
- In the left pane, right-click on Domain Controllers Organizational Units and select Create a GPO in this domain, and Link it here.
- In the New GPO window, enter a name for the new policy in the Name field and click OK.
- Right-click on the new policy and click Edit.
- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies to view various policy settings.
- Enable the policy settings given in the table below for both success and failure audit events and click OK.
Policy settings table:
Policy |
Policy Setting |
Account Logon |
Audit Credential Validation |
Account Management
|
Audit Computer Account Management |
Audit Distribution Group Management |
|
Audit Security Group Management |
|
Audit User Account Management |
|
DS Access |
Audit Directory Service Access |
System |
Audit Security System Extension |
By following the steps above, you can configure Windows event collection for Microsoft Defender for Identity. This enhances your organization’s security by providing insights from Windows event logs, enabling proactive monitoring and response to potential threats.