Jonhnathan
a2bf7f088d
* [Security Content] Windows Setup Guides * Move it to the right folder * Fix link * test * ++ * ++ * ++ * ++ * ++ * ++ * ++ * ++ * Fix links * ++ * ++ * Update pyproject.toml * Update docs/audit_policies/windows/sysmon_eventid1_process_creation.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update docs/audit_policies/windows/audit_powershell_scriptblock.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update pyproject.toml --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
1.8 KiB
Audit Logon
Setup
Some detection rules require monitoring logon events to track user authentication attempts, detect unauthorized access, and investigate security incidents. Enabling this setting provides visibility into successful and failed logon attempts, helping strengthen security and compliance.
Enable Audit Policy via Group Policy
To enable Audit logon events across a group of servers using Active Directory Group Policies, administrators must enable the Audit logon policy. Follow these steps to configure the audit policy via Advanced Audit Policy Configuration:
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
Logon/Logoff >
Audit Logon (Success,Failure)
Enable Locally using auditpol
To enable this policy on a local machine, run the following command in an elevated command prompt:
auditpol.exe /set /subcategory:"Logon" /success:enable /failure:enable
Event IDs
When this audit policy is enabled, the following event IDs may be generated:
- 4624: An account was successfully logged on.
- 4625: An account failed to log on.
- 4648: A logon was attempted using explicit credentials.
- 4675: SIDs were filtered.
Related Rules
Use the following GitHub search to identify rules that use the events listed: