atomic-threat-coverage/logging_policies/LP_0028_windows_audit_sam.yml

title: LP_0028_windows_audit_sam
default: Not configured
volume: High # on domain controllers
description: >
  Audit SAM, which enables you to audit events that are 
  generated by attempts to access Security Account Manager 
  (SAM) objects.  
eventID:
  - 4661 # (S, F): A handle to an object was requested
references:
    - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/95b9d7c01805839c067e352d1d16702604b15f11/windows/security/threat-protection/auditing/audit-sam.md
configuration: |
  Steps to implement logging policy with Advanced Audit Configuration:
  ```
  Computer Configuration > 
  Policies > 
  Windows Settings > 
  Security Settings > 
  Advanced Audit Policies Configuration > 
  Audit Policies > 
  Object Access > 
  Audit SAM (Success,Failure)
  ```