Edit

Share via

Configure Windows event auditing

This article describes how to configure windows event auditing.

Defender for Identity uses Windows event log entries to detect specific activities. This data is used in various detection scenarios and can be used in advanced hunting queries. For optimal protection and monitoring, make sure that collection of windows events is properly configured.

Defender for Identity generates health alerts when it detects incorrect windows event auditing configurations. For more information, see Microsoft Defender for Identity health alerts.

If auditing is configured properly, it has minimal effect on server performance.

Before you begin

Before you begin configuring windows event collection, we recommend that you run a PowerShell script to check your current cofiguration and generate a report of any adjustments you need to make:

  1. Download the Defender for Identity PowerShell module.

  2. Run the Defender for Identity New-MDIConfigurationReport PowerShell module to

    Use this format to generate the report:

        New-MDIConfigurationReport -Path "C:\Reports" -Mode Domain -Identity "DOMAIN\ServiceAccountName" -OpenHtmlReport

    Where:

    • Path is the directory where the report is saved.
    • Mode indicates where the settings are collected from.
      • In Domain mode, the settings are collected from the Group Policy objects (GPOs). When using -Mode Domain, include the -Identity parameter to avoid an interactive prompt.
      • In LocalMachine mode, the settings are collected from the local machine.
    • OpenHtmlReport opens the HTML report after the report is generated. For example, to generate a report and open it in your default browser, run the following command:
    New-MDIConfigurationReport -Path "C:\Reports" -Mode Domain -OpenHtmlReport

    For more information, see: New-MDIConfigurationReport.

  3. Review the report and make any necessary adjustments before configuring windows event collection.

Configure Defender for Identity to collect Windows events automatically (Preview)

Note

Automatic windows event auditing is supported for domain controllers that use the Defender for Identity sensor version 3.x.

Automatic windows auditing performs all configuration tasks automatically:

  • Checks current windows event auditing configuration.
  • Identifies any gaps in the configuration.
  • The sensor applies any necessary changes, including all of the steps in the manual configuration:
    • Directory services advanced auditing: Adds audit entries to the domain root object's System Access Control List (SACL) to enable required directory service auditing.
    • NTLM auditing - Uses standard Windows Registry APIs to configure the required NTLM auditing registry values.
    • Domain object auditing - Modifies the SACL on the Configuration partition to capture changes to directory service configuration objects.
    • ADFS auditing - Adds audit entries to the object's System Access Control List (SACL) of the AD FS configuration container, to enable auditing of AD FS-related directory objects.
    • Windows audit policy - Configures the local Windows audit policies using the Windows Local Security Authority (LSA) audit policy APIs.
  • Applies auditing settings directly to the local system policy of the domain controller.
  • Sends health alerts about the configuration state.
  • Runs once every 24 hours.

Note

  • If you don't turn on automatic Windows auditing, you must configure Windows event auditing either manually or using PowerShell.
  • GPO settings can conflict with local settings set by the sensor.

Turn on automatic windows auditing:

  1. In the Microsoft Defender portal, go to Settings, and then Identities.
  2. In the General section, select Advanced features.
  3. Turn on Automatic Windows auditing configuration.​

Configure Windows event collection manually

This section includes instructions for manually configuring Windows event collection in these cases:

Configure auditing on domain controllers

To configure auditing on a domain controller, you must:

Configure Directory Services Advanced Auditing

This section describes how to modify your domain controller's Advanced Audit Policy settings for Defender for Identity.

  1. Sign in to the server as Domain Administrator.

  2. Open the Group Policy Management Editor from Server Manager > Tools > Group Policy Management.

  3. Expand Domain Controllers Organizational Units, right-click Default Domain Controllers Policy, and then select Edit.

    Screenshot of the pane for editing the default policy for domain controllers.

    Note

    Use the Default Domain Controllers policy or a dedicated GPO to set these policies.

  4. In the window that opens, go to Computer Configuration > Policies > Windows Settings > Security Settings. Depending on the policy you want to enable, do the following:

    1. Go to Advanced Audit Policy Configuration > Audit Policies.

      Screenshot of selections for opening audit policies.

    2. Under Audit Policies, edit each of the following policies and select Configure the following audit events for both Success and Failure events.

      Audit policy Subcategory Triggers event IDs
      Account Logon Audit Credential Validation 4776
      Account Management Audit Computer Account Management* 4741, 4743
      Account Management Audit Distribution Group Management* 4753, 4763
      Account Management Audit Security Group Management* 4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758
      Account Management Audit User Account Management 4726
      DS Access Audit Directory Service Changes* 5136
      System Audit Security System Extension* 7045
      DS Access Audit Directory Service Access 4662 - For this event, you must also configure domain object auditing.

      Note

      * These subcategories don't support failure events. However, we recommend adding them for auditing purposes in case they're implemented in the future. For more information, see Audit Computer Account Management, Audit Security Group Management, and Audit Security System Extension.

      For example, to configure Audit Security Group Management, under Account Management, double-click Audit Security Group Management, and then select Configure the following audit events for both Success and Failure events.

      Screenshot of the Audit Security Group Management Properties dialog.

  5. From an elevated command prompt, enter gpupdate.

  6. After you apply the policy via GPO, confirm that the new events appear in the Event Viewer, under Windows Logs > Security.

    To test your audit policies from the command line, run the following command:

    auditpol.exe /get /category:*

For more information, see the auditpol reference documentation.

Configure NTLM auditing

When a Defender for Identity sensor parses Windows event 8004, Defender for Identity NTLM authentication activities are enriched with the server-accessed data. This section describes the extra configuration steps that you need for auditing Windows event 8004.

Note

Domain group policies to collect Windows event 8004 should be applied only to domain controllers.

To configure NTLM auditing:

  1. Open Group Policy Management, and go to Default Domain Controllers Policy > Local Policies > Security Options.

  2. Configure the specified security policies as follows:

    Security policy setting Value
    Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers Audit all
    Network security: Restrict NTLM: Audit NTLM authentication in this domain Enable all
    Network security: Restrict NTLM: Audit Incoming NTLM Traffic Enable auditing for all accounts

For example, to configure Outgoing NTLM traffic to remote servers, under Security Options, double-click Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, and then select Audit all.

Screenshot of the audit configuration for outgoing NTLM traffic to remote servers.

Configure domain object auditing

To collect events for object changes, such as for event 4662, you must also configure object auditing on the user, group, computer, and other objects. The following procedure describes how to enable auditing in the Active Directory domain.

To configure domain object auditing:

  1. Go to the Active Directory Users and Computers console.

  2. Select the domain that you want to audit.

  3. Select the View menu, and then select Advanced Features.

  4. Right-click the domain and select Properties.

    Screenshot of selections for opening container properties.

  5. Go to the Security tab, and then select Advanced.

    Screenshot of the dialog for opening advanced security properties.

  6. In Advanced Security Settings, select the Auditing tab, and then select Add.

    Screenshot of the Auditing tab in the Advanced Security Settings dialog.

  7. Choose Select a principal.

    Screenshot of the button for selecting a principal.

  8. Under Enter the object name to select, enter Everyone. Then select Check Names > OK.

    Screenshot of entering an object name of Everyone.

  9. Go back to Auditing Entry, and make the following selections:

    1. For Type, select Success.

    2. For Applies to, select Descendant User objects.

    3. Under Permissions, scroll down and select the Clear all button.

      Screenshot of the button for clearing all permissions.

    4. Scroll back up and select Full Control. All the permissions are selected.

    5. Clear the selection for the List contents, Read all properties, and Read permissions permissions, and then select OK. This step sets all the Properties settings to Write.

      Screenshot of selecting permissions.

      Now, all relevant changes to directory services appear as 4,662 events when they're triggered.

  10. Repeat the steps in this procedure, but for Applies to, select the following object types 1

    • Descendant Group Objects
    • Descendant Computer Objects
    • Descendant msDS-GroupManagedServiceAccount Objects
    • Descendant msDS-ManagedServiceAccount Objects
    • Descendant msDS-DelegatedManagedServiceAccount Objects 2

Note

  • You can assign auditing permissions on All descendant objects, using only the object types detailed in the last step.
  • The msDS-DelegatedManagedServiceAccount class is relevant only for domains running at least one Windows Server 2025 domain controller.

Configure auditing on AD FS

To configure auditing on Active Directory Federation Services (AD FS):

  1. Go to the Active Directory Users and Computers console, and select the domain where you want to enable the logs.

  2. Go to Program Data > Microsoft > ADFS.

    Screenshot of a container for Active Directory Federation Services.

  3. Right-click ADFS and select Properties.

  4. Go to the Security tab and select Advanced > Advanced Security Settings. Then go to the Auditing tab and select Add > Select a principal.

  5. Under Enter the object name to select, enter Everyone. Then select Check Names > OK.

  6. You then return to Auditing Entry. Make the following selections:

    • For Type, select All.
    • For Applies to, select This object and all descendant objects.
    • Under Permissions, scroll down and select Clear all. Scroll up and select Read all properties and Write all properties.

    Screenshot of the auditing settings for Active Directory Federation Services.

  7. Select OK.

Configure Verbose logging for AD FS events

Sensors running on AD FS servers must have the auditing level set to Verbose for relevant events.

You can use the following PowerShell command to configure the auditing level to Verbose:

Set-AdfsProperties -AuditLevel Verbose

Configure auditing on AD CS

If you're working with a dedicated server that has Active Directory Certificate Services (AD CS) configured, configure auditing as follows to view dedicated alerts and Secure Score reports:

  1. Create a group policy to apply to your AD CS server. Edit it and configure the following auditing settings:

    1. Go to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Certification Services.

    2. Select the checkboxes to configure audit events for Success and Failure.

    Screenshot of configuring audit events for Active Directory Certificate Services in the Group Policy Management Editor.

  2. Configure auditing on the certificate authority (CA) by using one of the following methods:

    • To configure CA auditing by using the command line, run:
     certutil –setreg CA\AuditFilter 127 
 net stop certsvc && net start certsvc

    • To configure CA auditing in the Defender portal:

      1. Select Start > Certification Authority (MMC Desktop application). Right-click your CA's name and select Properties.

        Screenshot of the Certification Authority dialog.

      2. Select the Auditing tab, select all the events that you want to audit, and then select Apply.

        Screenshot of the Auditing tab for certificate authority properties.

Note

Configuring Start and Stop Active Directory Certificate Services event auditing might cause restart delays when you're dealing with a large AD CS database. Consider removing irrelevant entries from the database. Alternatively, refrain from enabling this specific type of event.

Configure auditing on Microsoft Entra Connect

To configure auditing on Microsoft Entra Connect servers:

  • Create a group policy to apply to your Microsoft Entra Connect servers. Edit it and configure the following auditing settings:

    1. Go to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logon.

    2. Select the checkboxes to configure audit events for Success and Failure.

Screenshot of the Group Policy Management Editor.

Configure auditing on the configuration container

The configuration container audit is required only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.

  1. Open the ADSI Edit tool. Select Start > Run, enter ADSIEdit.msc, and then select OK.

  2. On the Action menu, select Connect to.

  3. In the Connection Settings dialog, under Select a well known Naming Context, select Configuration > OK.

  4. Expand the Configuration container to show the Configuration node, which begins with "CN=Configuration,DC=...".

    Screenshot of selections for opening properties for the CN Configuration node.

  5. Right-click the Configuration node and select Properties.

    Screenshot of selections for opening properties for the Configuration node.

  6. Select the Security tab, and then select Advanced.

  7. In Advanced Security Settings, select the Auditing tab, and then select Add.

  8. Choose Select a principal.

  9. Under Enter the object name to select, enter Everyone. Then select Check Names > OK.

  10. You then return to Auditing Entry. Make the following selections:

    • For Type, select All.
    • For Applies to, select This object and all descendant objects.
    • Under Permissions, scroll down and select Clear all. Scroll up and select Write all properties.

    Screenshot of the auditing settings for the Configuration container.

  11. Select OK.

Configure Windows event collection using PowerShell

For more information, see the Defender for Identity PowerShell reference:

The following commands describe how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity by using PowerShell.

To view your audit policies:

Get-MDIConfiguration [-Mode] <String> [-Configuration] <String[]>

Where:

  • Mode specifies whether you want to use Domain or LocalMachine mode. In Domain mode, the settings are collected from the Group Policy objects. In LocalMachine mode, the settings are collected from the local machine.
  • Configuration specifies which configuration to get. Use All to get all configurations.

To configure your settings:

Set-MDIConfiguration [-Mode] <String> [-Configuration] <String[]> [-CreateGpoDisabled] [-SkipGpoLink] [-Force]

Where:

  • Mode specifies whether you want to use Domain or LocalMachine mode. In Domain mode, the settings are collected from the Group Policy objects. In LocalMachine mode, the settings are collected from the local machine.
  • Configuration specifies which configuration to set. Use All to set all configurations.
  • CreateGpoDisabled specifies if the GPOs are created and kept as disabled.
  • SkipGpoLink specifies that GPO links aren't created.
  • Force specifies that the configuration is set or GPOs are created without validating the current state.

The following command defines all settings for the domain, creates group policy objects, and links them.

Set-MDIConfiguration -Mode Domain -Configuration All

Update legacy configurations

Defender for Identity no longer requires logging 1,644 events. If you have either of the following settings enabled, you can remove them from the registry.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics]
"15 Field Engineering"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters]
"Expensive Search Results Threshold"=dword:00000001
"Inefficient Search Results Threshold"=dword:00000001
"Search Time Threshold (msecs)"=dword:00000001

Related content

For more information, see:

  • Last updated on