Last Updated on May 31, 2022 by Dishan M. Francis
This is the Part 03 of the Microsoft Defender for Identity blog series and so far in this series, we learned about,
Similar to Part 02, in this blog post also I am going to talk about another MDI prerequisite. MDI collects information from Windows Event logs to enrich the content of findings. Domain controllers do not collect these specific events by default and we need to enable Advanced Audit Policy settings using a group policy to enable the relevant event collection.
MDI is interested in following windows events,
• 1644 – LDAP search
• 4662 – An operation was performed on an object
• 4726 – User Account Deleted
• 4728 – Member Added to Global Security Group
• 4729 – Member Removed from Global Security Group
• 4730 – Global Security Group Deleted
• 4732 – Member Added to Local Security Group
• 4733 – Member Removed from Local Security Group
• 4741 – Computer Account Added
• 4743 – Computer Account Deleted
• 4753 – Global Distribution Group Deleted
• 4756 – Member Added to Universal Security Group
• 4757 – Member Removed from Universal Security Group
• 4758 – Universal Security Group Deleted
• 4763 – Universal Distribution Group Deleted
• 4776 – Domain Controller Attempted to Validate Credentials for an Account (NTLM)
• 7045 – New Service Installed
• 8004 – NTLM Authentication
Let’s go ahead and see how we can enable these event collections. To do that,
1. Log in to one of the Domain Controllers or to a server with GPMC access as a Domain Administrator
2. Then go to Server Manager | Tools | Group Policy Management
3. Right-click on Domain Controllers Organizational Units and select Create a GPO in this domain, and Link it here …
4. Provide a name for the new policy and click on OK.
5. Then right-click on the new policy and click on Edit.
6. Go to Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies. In there you can see a number of different policy settings.
From the list, enable the following policy settings for both Success and Failure events.
|Policy||Policy Setting||Events||Audit Events|
|Account Logon||Audit Credential Validation||4776||Success and Failure|
|Account Management||Audit Computer Account Management||4741, 4743||Success and Failure|
|Account Management||Audit Distribution Group Management||4753, 4763||Success and Failure|
|Account Management||Audit Security Group Management||4728, 4729, 4730, 4732, 4733, 4756, 4757, 4758||Success and Failure|
|Account Management||Audit User Account Management||4726||Success and Failure|
|DS Access||Audit Directory Service Access||4662||Success and Failure|
|System||Audit Security System Extension||7045||Success and Failure|
This completes the initial configuration of the policy but we need to do some further policy changes to enable additional event collections. [Read more…] about Microsoft Defender for Identity Part 03 – Collect Windows Events