valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
fc23f0ca8c
atomic-threat-coverage/logging_policies/LP_0107_windows_audit_credential_validation.yml
yugoslavskiy 68d4929a53 general update: 
- DN calc function updated, fixed incorrect calc for multiple DRs
- updated all LPs with a preparation for a new feature (sucess/fail LP config calculcation per DR/EID)
- all the stuff (md/confluence) has been updated according to changes

updated with a log source sample:

- DN_0046_1031_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0047_1032_dhcp_service_callout_dll_file_has_caused_an_exception.yml
- DN_0049_1034_dhcp_service_failed_to_load_callout_dlls.yml

created:

- DN_0086_4720_user_account_was_created.yml
- DN_0087_5156_windows_filtering_platform_has_permitted_connection.yml
- DN_0088_4616_system_time_was_changed.yml
- DN_0089_56_terminal_server_security_layer_detected_an_error.yml
- DN_0090_50_terminal_server_security_layer_detected_an_error.yml
- LP_0045_windows_audit_filtering_platform_connection.yml
- LP_0046_windows_audit_security_state_change.yml
2019-07-12 06:38:49 +03:00

27 lines
1.0 KiB
YAML
Raw Blame History

title: LP_0107_windows_audit_credential_validation
default: Configured
volume: High # on domain controllers. Low on member servers and workstations.
description: >
Audit Credential Validation determines whether the operating system
generates audit events on credentials that are submitted for a user
account logon request
eventID:
- 4774 # (S, F): An account was mapped for logon
- 4775 # (F): An account could not be mapped for logon
- 4776 # (S, F): The computer attempted to validate the credentials for an account
- 4777 # (F): The domain controller failed to validate the credentials for an account
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/audit-credential-validation.md
configuration: |
Manual steps to implement logging policy:
```
Computer Configuration >
Windows Settings >
Security Settings >
Advanced Security Audit Policy Settings >
Audit Policies >
Account Logon >
Audit Credential Validation (Success,Failure)
```
Reference in New Issue View Git Blame Copy Permalink