mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 09:35:21 +00:00
68d4929a53
- DN calc function updated, fixed incorrect calc for multiple DRs - updated all LPs with a preparation for a new feature (sucess/fail LP config calculcation per DR/EID) - all the stuff (md/confluence) has been updated according to changes updated with a log source sample: - DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.yml - DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.yml - DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.yml created: - DN_0086_4720_user_account_was_created.yml - DN_0087_5156_windows_filtering_platform_has_permitted_connection.yml - DN_0088_4616_system_time_was_changed.yml - DN_0089_56_terminal_server_security_layer_detected_an_error.yml - DN_0090_50_terminal_server_security_layer_detected_an_error.yml - LP_0045_windows_audit_filtering_platform_connection.yml - LP_0046_windows_audit_security_state_change.yml
26 lines
864 B
YAML
26 lines
864 B
YAML
title: LP_0004_windows_audit_logon
|
|
default: Partially (Success)
|
|
volume: Medium
|
|
description: >
|
|
Audit Logon determines whether the operating system generates audit
|
|
events when a user attempts to log on to a computer
|
|
eventID:
|
|
- 4624 # (S): An account was successfully logged on
|
|
- 4625 # (F): An account failed to log on
|
|
- 4648 # (S): A logon was attempted using explicit credentials
|
|
- 4675 # (S): SIDs were filtered
|
|
references:
|
|
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-logon.md
|
|
configuration: |
|
|
Steps to implement logging policy with Advanced Audit Configuration:
|
|
```
|
|
Computer Configuration >
|
|
Policies >
|
|
Windows Settings >
|
|
Security Settings >
|
|
Advanced Audit Policies Configuration >
|
|
Audit Policies >
|
|
Logon/Logoff
|
|
Audit logon (Success,Failure)
|
|
```
|