valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b693f38157
atomic-threat-coverage/logging_policies/LP_0100_windows_audit_security_system_extension.yml
yugoslavskiy 68d4929a53 general update: 
- DN calc function updated, fixed incorrect calc for multiple DRs
- updated all LPs with a preparation for a new feature (sucess/fail LP config calculcation per DR/EID)
- all the stuff (md/confluence) has been updated according to changes

updated with a log source sample:

- DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.yml

created:

- DN_0086_4720_user_account_was_created.yml
- DN_0087_5156_windows_filtering_platform_has_permitted_connection.yml
- DN_0088_4616_system_time_was_changed.yml
- DN_0089_56_terminal_server_security_layer_detected_an_error.yml
- DN_0090_50_terminal_server_security_layer_detected_an_error.yml
- LP_0045_windows_audit_filtering_platform_connection.yml
- LP_0046_windows_audit_security_state_change.yml
2019-07-12 06:38:49 +03:00

28 lines
1.2 KiB
YAML
Raw Blame History

title: LP_0100_windows_audit_security_system_extension
default: Not configured
volume: Low
description: >
Audit Security System Extension contains information about the loading of an
authentication package, notification package, or security package, plus
information about trusted logon process registration events
eventID:
- 4610 # (S): An authentication package has been loaded by the Local Security Authority.
- 4611 # (S): A trusted logon process has been registered with the Local Security Authority.
- 4614 # (S): A notification package has been loaded by the Security Account Manager.
- 4622 # (S): A security package has been loaded by the Local Security Authority.
- 4697 # (S): A service was installed in the system.
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension
configuration: |
Steps to implement logging policy with Advanced Audit Configuration:
```
Computer Configuration >
Policies >
Windows Settings >
Security Settings >
Advanced Audit Policies Configuration >
Audit Policies >
System >
Audit Security System Extension (Success)
```
Reference in New Issue View Git Blame Copy Permalink