Azure ATP Advanced Audit Policy check
Azure ATP detection relies on specific Windows Event Logs for visibility in certain scenarios, such as NTLM logons, security group modifications, and similar events. For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy settings. Incorrect Advanced Audit Policy settings leave critical events out of your logs, and result in incomplete Azure ATP coverage.
To make it easier to verify the current status of each of your domain controller’s Advanced Audit Policies, Azure ATP automatically checks your existing Advanced Audit Policies and issues health alerts for policy settings that require modification. Each health alert provides specific details of the domain controller, the problematic policy as well as remediation suggestions.
Advanced Security Audit Policy is enabled via Default Domain Controllers Policy GPO. These audit events are recorded on the domain controller's Windows Events.
Modify audit policies
Modify the Advanced Audit Policies of your domain controller using the following instructions:
Log in to the Server as Domain Administrator.
Load the Group Policy Management Editor from Server Manager > Tools > Group Policy Management.
Expand the Domain Controllers Organizational Units, right click on Default Domain Controllers Policy and select Edit.
From the window that opens, go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
Go to Account Logon, double click on Audit Credential Validation and select Configure the following audit events for both success and failure events.
Go to Account Management, double click on Audit Security Group Management and select Configure the following audit events for both success and failure events.
If you choose to use local policy, make sure to add the Account Logon and Account Management audit logs in your local policy. If you are configuring the advanced audit policy, make sure to force the audit policy subcategory.
If you use a policy other than then default domain controller policy to apply the advanced audit policy settings, the resulting Azure ATP health alert can be ignored.
After applying via GPO, the new events are visible under your Windows Event logs.