Configure Windows Event collection
To enhance threat detection capabilities, Azure Advanced Threat Protection (Azure ATP) needs the following Windows Events: 4776, 4732, 4733, 4728, 4729, 4756, 4757, 7045 and 8004. These events can either be read automatically by the Azure ATP sensor or in case the Azure ATP sensor is not deployed, they can be forwarded to the Azure ATP standalone sensor in one of two ways, by configuring the Azure ATP standalone sensor to listen for SIEM events or by Configuring Windows Event Forwarding.
- Azure ATP standalone sensors do not support the collection of Event Tracing for Windows (ETW) log entries that provide the data for multiple detections. For full coverage of your environment, we recommend deploying the Azure ATP sensor.
- It is important to review and verify your audit policies before enabling event collection to ensure that the domain controllers are properly configured to record the necessary events.
In addition to collecting and analyzing network traffic to and from the domain controllers, Azure ATP can use Windows events to further enhance detections. Azure ATP uses Windows event 4776 and 8004 for NTLM, which enhances various detections and events 4732, 4733, 4728, 4729, 4756, 4757 and 7045 and 8004 for enhancing detection of sensitive group modifications and service creation. These can be received from your SIEM or by setting Windows Event Forwarding from your domain controller. Events collected provide Azure ATP with additional information that is not available via the domain controller network traffic.
Domain group policies to collect Windows Event 8004 should only be applied to domain controllers.
NTLM authentication using Windows Event 8004
To configure Windows Event 8004 collection:
- Navigate to: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
- Configure or create a domain group policy which is applied to the domain controllers in each domain as follows:
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers = Audit All
- Network security: Restrict NTLM: Audit NTLM authentication in this domain = Enable all
- Network security: Restrict NTLM: Audit Incoming NTLM Traffic = Enable auditing for all accounts
When Windows Event 8004 is parsed by Azure ATP Sensor, Azure ATP NTLM authentications activities are enriched with the server accessed data.